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Abstract 


CLF  is  a  new  logical  framework  with  an  intrinsic  notion  of  concurrency.  It  is  designed  as 
a  conservative  extension  of  the  linear  logical  framework  LLF  with  the  synchronous  connec¬ 
tives  <g>,  1,  !,  and  3  of  intuitionistic  linear  logic,  encapsulated  in  a  monad.  LLF  is  itself  a 
conservative  extension  of  LF  with  the  asynchronous  connectives  -o,  &  and  T . 

In  this  report,  the  second  of  two  technical  reports  describing  CLF,  we  illustrate  the  expres¬ 
sive  power  of  the  framework  by  encoding  several  different  concurrent  languages  including 
both  the  synchronous  and  asynchronous  7r-caiculus,  an  ML-like  language  with  futures,  lazy 
evaluation  and  concurrency  primitives  in  the  style  of  CML,  Petri  nets  and  finally,  the  secu¬ 
rity  protocol  specification  language  MSR. 

Throughout  the  report  we  assume  the  reader  is  already  familiar  with  the  formal  definition  of 
CLF.  For  detailed  explanation  and  development  of  the  type  theory,  please  see  A  Concurrent 
Logical  Framework  I:  Judgments  and  Properties  [WCPW02]. 


Keywords:  logical  frameworks,  type  theory,  linear  logic,  concurrency 


Contents 


A 


? 


1  Introduction  3 

2  The  Concurrent  Logical  Framework  CLF  4 

2.1  Syntax .  4 

2.2  Typing  Judgments .  5 

2.3  Definitional  Equality . 6 

2.4  Properties  of  CLF  .  6 

3  The  7r-Calculus  in  CLF  7 

3.1  The  Asynchronous  7r-calculus . 7 

3.1.1  Syntax  . . .  ♦  . .  7 

3.1.2  Operational  Semantics .  8 

3.1.3  Alternate  Encodings . 11 

3.2  The  Synchronous  7r-Calculus  .  11 

3.2.1  Syntax .  12 

3.2.2  Operational  Semantics .  13 

3.2.3  Adequacy .  14 

4  Concurrent  ML  in  CLF  17 

4.1  Destination-Passing  Style  .  .  . . . .  •  17 

4.2  Sequential  Functional  Programming .  18 

4.3  Suspensions  with  Memoization . 21 

4.4  State  and  Concurrency . 21 

5  Petri  Nets  in  CLF  26 

5.1  Multisets  . 26 

5.2  Petri  Nets . 27 

5.2.1  Interleaving  Semantics .  28 

5.2.2  Trace  Semantics .  32 

5.2.3  Equivalence . 33 

5.3  Sequential  CLF  Representation .  37 

5.3.1  Representation  of  Petri  nets .  37 

5.3.2  Representation  of  Markings .  39 

5.3.3  Representation  of  Execution  Sequences .  39 

5.3.4  Adequacy  Theorems .  40 

5.4  Concurrent  CLF  Representation  . .  •  •  •  42 

5.4.1  Representation  of  Traces .  43 

5.4.2  Adequacy  Theorems .  45 

5.5  Petri  Nets  in  LLF  . 46 

6  Specification  of  Security  Protocol  48 

6.1  The  Security  Protocol  Specification  Language  MSR .  48 

6.1.1  Syntax . 49 

6.1.2  Example . 51 


1 


6.1.3  Semantics . .  •  •  53 

6.2  CLF  Encoding  . . 55 

6.2.1  MSR . 55 

6.2.2  Example . •  58 

6.2.3  Adequacy  Results  . 59 

7  Conclusions  51 

A  Syntax  and  judgments  of  CLF  62 

A.l  Syntax  . . •  62 

A.2  Equality . 62 

A.3  Instantiation .  §3 

A.4  Expansion . 64 

A. 5  Typing . •  65 

B  Adequacy  of  the  Synchronous  7r-calculus  67 

B. l  Syntax  and  Semantics . 67 

B.1.1  Syntax . 67 

B.1.2  Structural  Equivalence .  68 

B.1.3  Reduction . . . .  •  •  68 

B.l. 4  Multi-Step  Reduction .  68 

B.l. 5  Normal  Processes . 68 

B.2  The  Encoding .  69 

B.2.1  Syntactic  Classes .  69 

B.2.2  Pi-Calculus  Terms . 69 

B.2.3  Representation  of  syntax  .  69 

B.2.4  Adequacy  of  Syntax . •  •  •  70 

B.2.5  Reduction  rules . 71 

B.2.6  Representation  of  Reduction  . •  • .  •  71 

B.2.7  Properties  of  Context  Equivalence .  72 

B.2.8  Reactive  Processes .  73 

B.2.9  Adequacy  of  Reductions  . . •  77 


List  of  Figures 

1  A  Producer/Consumer  Net . 28 

2  A  Later  Marking  in  the  Producer /Consumer  Net .  29 

3  A  TVace  in  the  Producer/Consumer  Net . 32 


2 


1  Introduction 


A  logical  framework  [PfeOlb,  BM01]  is  a  meta-language  for  the  specification  and  imple¬ 
mentation  of  deductive  systems,  which  are  used  pervasively  in  logic  and  the  theory  of  pro¬ 
gramming  languages.  A  logical  framework  should  be  as  simple  and  uniform  as  possible,  yet 
provide  intrinsic  means  for  representing  common  concepts  and  operations  in  its  application 
domain. 

The  particular  lineage  of  logical  frameworks  we  are  concerned  with  in  this  paper  started 
with  the  Automath  languages  [dB80]  which  originated  the  use  of  dependent  types.  It  was 
followed  by  LF  [HHP93],  crystallizing  the  judgments- as-types  principle.  LF  is  based  on  a 
minimal  type  theory  An  with  only  the  dependent  function  type  constructor  II.  It  nonetheless 
directly  supports  concise  and  elegant  expression  of  variable  renaming  and  capture-avoiding 
substitution  at  the  level  of  syntax,  and  parametric  and  hypothetical  judgments  in  deduc¬ 
tions.  Moreover,  proofs  are  reified  as  objects  which  allows  properties  of  or  relations  between 
proofs  to  be  expressed  within  the  framework  [Pfe91]. 

Representations  of  systems  involving  state  remained  cumbersome  until  the  design  of  the 
linear  logical  framework  LLF  [CP98]  and  its  close  relative  RLF  [IP98].  For  example,  LLF 
allows  an  elegant  representation  of  Mini-ML  with  mutable  references  that  reifies  imperative 
computations  as  objects.  LLF  is  a  conservative  extension  of  LF  with  the  linear  function  type 
A-o  B:  the  additive  product  type  A  &  £,  and  the  additive  unit  type  T.  This  type  theory 
corresponds  to  the  largest  freely  generated  fragment  of  intuitionistic  linear  logic  [HM94, 
Bar96]  whose  proofs  admit  long  normal  forms  without  any  commuting  conversions.  This 
allows  a  relatively  simple  type-directed  equality-checking  algorithm  which  is  critical  in  the 
proof  of  decidability  of  type-checking  for  the  framework  [CP98,  VCOO]. 

While  LLF  solved  many  problems  associated  with  stateful  computation,  the  encoding 
of  concurrent  computations  remained  unsatisfactory.  In  this  report,  we  demonstrate  that 
the  limitations  of  LLF  can  be  overcome  by  extending  the  framework  with  a  monad  that 
incorporates  the  synchronous  connectives  1,  !,  and  3  of  intuitionistic  linear  logic.  We 
call  this  new  framework  Concurrent  LF  (CLF). 

Readers  interested  in  the  meta- theory  of  CLF  should  read  the  precursor  to  this  re¬ 
port  [WCPW02],  which  explains  the  formulation  of  the  framework  and  describes  its  typing 
judgments  and  properties  in  detail.  Here,  we  review  the  syntax  of  CLF  and  state  some 
fundamental  properties  of  the  framework  {Section  2).  However,  we  give  no  explanation  of 
the  typing  rules.  They  are  merely  included  as  a  reference  (see  Appendix  A). 

The  purpose  of  this  report  is  to  demonstrate  the  expressive  power  of  CLF  through  a 
series  of  examples  and,  in  particular,  to  focus  on  CLF’s  effectiveness  at  encoding  concurrent 
programming  paradigms.  In  Section  3,  we  present  the  essence  of  concurrent  programming, 
the  7r-calculus  [Mil99].  We  give  encodings  of  both  the  synchronous  and  asynchronous  7r- 
calculus  and  a  proof  of  adequacy  in  the  synchronous  case.  The  adequacy  proof  for  the 
asynchronous  case  follows  similar,  but  simpler  lines. 

In  Section  4,  we  give  a  novel  encoding  of  an  ML-like  language  with  a  destination-passing 
style  operational  semantics.  The  encoding  is  highly  modular  and  we  are  easily  able  to  treat 
a  significant  fragment  of  a  practical  programming  language.  More  specifically,  we  show  how 
to  encode  functions,  recursion,  definitions,  unit  type,  pair  type,  mutable  references,  lazy 
evaluation,  futures  in  the  style  of  Multi-Lisp,  and  concurrency  primitives  in  the  style  of 


CML.  Although  we  do  not  show  it  here,  this  encoding  may  easily  be  extended  to  include 
polymorphism,  unit  types,  sum  types,  union  types  and  intersection  types. 

In  section  5,  we  demonstrate  our  framework’s  capacity  for  representing  truly  concurrent 
computations  [Maz95]  by  giving  an  encoding  of  Petri  nets  and  proving  it  adequate.  We 
discuss  both  the  operational  semantics  that  identifies  independent  interleavings  of  transition 
applications  and  the  description  of  the  behavior  of  a  Petri  net  stemming  from  trace  theory. 

In  section  6,  we  explore  a  promising  application  area,  the  specification  and  verification 
of  security  protocols.  In  particular,  we  show  how  to  encode  MSR,  a  rich,  strongly  typed 
framework  for  representing  cryptographic  protocols.  Finally,  we  conclude  with  section  7. 


2  The  Concurrent  Logical  Framework  CLF 

In  contrast  to  prior  presentations  of  the  logical  framework  LF,  all  terms  are  represented 
in  /3-normal,  7?-long  form— what  in  [HPOO]  are  called  quasi-canonical  forms.  The  strategy 
based  entirely  on  canonical  forms  also  simplifies  adequacy  proofs  for  representations  of  other 
theories  within  CLF  because  such  representations  are  always  defined  in  terms  of  canonical 
forms. 

This  new  presentation  also  simplifies  the  proof  that  type  checking  is  decidable.  Normally, 
the  proof  of  decidability  of  type  checking  is  quite  involved  because  the  type  checking  algo¬ 
rithm  must  compare  the  objects  that  appear  in  types  for  equality.  However,  in  our  frame¬ 
work,  where  all  terms  are  /3-normal,  Jj-long,  equality  checking  reduces  to  a-convertibility  and 
is  trivially  decidable.  Type  checking  is  slightly  more  complex  because  checking  dependent 
functions  requires  that  we  substitute  terms  into  other  types  and  terms.  In  order  to  maintain 
the  invariant  that  all  terms  are  /3-normal,  77- long  substitution  must  simultaneously  normal¬ 
ize  objects.  We  call  this  new  form  of  substitution  canonical  substitution  and  the  reader  is 
encouraged  to  examine  the  first  technical  report  in  this  series  for  details[WCPW02]. 

2.1  Syntax 

The  syntactic  presentation  of  canonical  forms  is  based  on  a  distinction  between  normal 
objects  N  and  atomic  objects  R.  It  is  convenient  to  make  a  similar  distinction  between 
normal  types  A  and  atomic  types  P,  and  to  segregate  the  connectives  restricted  to  the 
monad  as  the  monadic  (synchronous)  types  S.  For  kinds,  there  are  no  constants  there  is 
only  the  symbol  type — so  there  are  only  normal  kinds  K .  A  normal  object  is  a  series  of 
introduction  rules  applied  to  atomic  objects,  while  an  atomic  object  is  a  series  of  natural- 
deduction  style  elimination  rules  applied  to  a  variable  or  constant.  The  only  elimination 
not  permitted  is  the  monad  elimination  rule,  which  is  foreign  to  natural  deduction. 

In  order  to  control  the  monad  elimination  rule,  it  is  separated  into  a  separate  syntactic 
class  of  expressions  E,  only  permitted  directly  inside  a  monad  introduction.  Introductions 
for  the  connectives  restricted  to  the  monad  must  occur  immediately  before  the  transition 
from  objects  to  expressions.  While  this  is  already  guaranteed  by  the  syntactic  restrictions 
on  synchronous  types,  it  is  convenient  to  make  the  distinction  at  the  level  of  the  object 
syntax  as  well,  so  there  is  a  class  of  monadic  (normal)  objects  M.  Eliminations  of  the 
connectives  restricted  to  the  monad  are  all  invertible  and  are  represented  syntactically  by 
patterns  p. 
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We  also  use  the  symbol  kind  to  classify  the  valid  kinds.  Throughout  the  presentation, 
terms  that  differ  only  in  the  names  of  their  bound  variables  are  considered  to  be  the  same. 
In  addition,  the  metavariable  A  always  denotes  an  equivalence  class  of  linear  contexts  up 
to  rearrangement. 


K,  L  ::=  type  |  nu:A.  K 
A,  B,  C  ::=  A  -o  B  \  IIu:  A.  B  \  A  &  B  |  T  | 

{S}  I  P 

P  ::=  a  \  P  N 

S::=Si®S2\1\3u:A.S\\A\A 

T -.:=-\r,u:A 
A::=-|A  ,x*A 
E  ::=  •  |  T*,a:K  |  E ,c:A 


N: 

:=$x.  N  |  Xu.N  |  (Ni,N2)  \  ()  \  {E}  \  R 

R: 

:=  c  |  u  |  x  | 

R*N  |  R  N 

7Ti  R  |  7T2R 

E 

:=  let  {p}  = 

R  in  E  |  M 

M 

1  1  1  [N,M] 

\\N\N 

P  ■ 

:=pi  ®P2  I 

1  |  [u,p]  |  \u  | 

X 

S'  : 

:=•!  p'tS,* 

2.2  Typing  Judgments 

There  is  a  typing  judgement  for  each  syntactic  category,  as  well  as  well-formedness  judge¬ 
ments  for  contexts  F  and  signatures  E.  Each  of  these  judgements  is  defined  in  a  completely 
syntax-directed  manner,  so  termination  and  decidability  of  typing  is  clear.  For  each  of  the 
normal  syntactic  categories  the  operational  interpretation  of  the  type-checking  judgement 
is  that  a  putative  type  is  provided,  and  the  judgement  holds  if  the  term  can  be  typed  with 
the  given  type.  In  particular,  a  normal  term  such  as  Xx.  x  may  have  several  different  types. 
This  stands  in  contrast  to  the  typical  presentation  of  LF,  where  type  labels  are  used  in  ab¬ 
stractions  to  ensure  that  every  term  has  a  unique  type.  For  the  atomic  syntactic  categories 
the  situation  is  different:  the  operational  meaning  of  the  typing  judgement  is  that  it  defines 
a  partial  function  from  an  atomic  term  (in  a  given  context  and  signature)  to  its  unique 
type. 

In  all  cases  the  typing  judgement  is  not  taken  to  have  any  particular  meaning  unless 
the  context  and  signature  referred  to  in  the  judgement  are  valid.  For  the  normal  syntactic 
categories,  the  typing  judgement  is  meaningless  unless  the  type  referred  to  in  the  judgement 
is  valid  as  well.  For  the  atomic  syntactic  categories,  it  will  be  proved  that  whenever  a 
typing  is  derivable  and  the  context  and  signature  mentioned  in  the  typing  are  valid,  the 
type  mentioned  in  the  judgement  is  valid.  The  judgements  are  as  follows. 


ri-s  K<=  kind 
r  bs  A  •<=  type 
r  bE  P  =>  K 
r  l-£  S  <=  type 


T;  A  N  <=  A 
T;  A  R  =>  A 
T;  A  bs  E  <—  S 
r;  A;  bE  E  5 
TiAhjM^S 


h  Eok 

r  ok 

r  l-E  A  ok 
r  bs  $  ok 


For  the  complete  set  of  typing  rules  associated  with  each  judgment  form,  please  see  Ap¬ 
pendix  A.  For  an  explanation  and  motivation  for  this  type  theory,  please  see  the  companion 
technical  report  [WCPW02]. 
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2.3  Definitional  Equality 

The  notion  of  definitional  equality  (=)  for  CLF  is  based  on  a-equivalence  and  the  following 
schema  for  expressions:  • 

E]  =c  E2  Mi  =  M2  Ri  =  R2 _ Ei  =c  4g2] 

Ei  =  E2  Mi  =c  M2  (let  {p}  =  Ri  in  Ex)  =c  e[let  {p}  =  R2  in  E2 } 

where,  in  the  second  rule,  the  concurrent  context  6  is  a  prefix  of  let  s  terminated  by  a  hole 
_  (formally  e  ::=  _  |  let  {p}  =  R  in  e).  This  rule  is  subject  to  the  following  side-conditions: 

1.  no  variable  bound  by  p  is  free  in  the  conclusion; 

2.  no  variable  bound  by  p  is  bound  by  the  context  e; 

3.  no  variable  free  in  R2  is  bound  by  the  context  e. 

The  other  rules  for  =  define  congruences  other  all  the  other  syntactic  classes  of  CLF. 
Definitional  equality  is  a  congruence  over  all  syntactic  classes  of  CLF ,  including  =c  over 
expressions.  In  particular  it  is  reflexive,  symmetric  and  transitive.  These  properties  are 
shown  to  hold  in  [WCPW02]. 

2.4  Properties  of  CLF 

In  this  section,  we  state  some  basic  properties  of  CLF  that  will  be  needed  in  the  proofs  of 
adequacy  of  some  of  our  encodings.  More  specifically,  our  encodings  will  often  use  the  CLF 
context  to  represent  the  state  of  a  concurrent  computation.  These  contexts  have  standard 
structural  properties  that  make  this  representation  concise  and  elegant.  Here,  we  use  the 
notation  T  h  J  (and  T;  A  h  J)  to  denote  any  judgment  that  depends  upon  the  context  T 
(or  T;  A).  We  denote  the  free  variables  of  a  type  using  the  notation  FV(B). 

Lemma  2.1  (Exchange). 

•  IfT,x:A,y:B, T'  I-  J  and  x  &  FV(B)  then  T,y:B,x:A,T'  h  J. 

•  JfT,x:A,y:B,T>;  Ah  J  and  x  &  FV(B)  then  T,y:B,x\A,T'\  Ah  J. 

Lemma  2.2  (Weakening). 

•  If  TV-  J  then  T,x:AV-  J. 

•  If  T;  A  h  J  then  T,  x :  A;  A  h  J. 

Lemma  2.3  (Contraction). 

•  IfT,x:A,y:A  h  J  thenT,x:A  h  J[x/y}. 

•  IfT,x:A,y:A;  A  h  J  thenT,x\A\  Ah  J\x/y). 

Lemma  2.4  (Strengthening). 

•  IfT,x:A\-  J  andx#FV{J)  thenThJ. 

•  IfT,x:A;  Ah  J  and  x  FV(J)\J  FV(D)  thenT;A\-J. 
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3  The  7r-  Calculus  in  CLF 


The  7T-calculus  [Mil99]  was  created  to  capture  the  essence  of  concurrent  programming  just 
as  the  A-calculus  captures  the  essence  of  functional  programming.  Here  we  show  how  the 
syntax  and  operational  semantics  of  two  variants  of  the  7r-calculus  can  be  captured  in  CLF. 
First,  we  give  an  encoding  of  the  asynchronous  7r-calculus  in  which  all  of  the  operators  are 
interpreted  as  logical  connectives  from  CLF.  Next,  we  show  how  to  modify  this  encoding  to 
deal  with  Milner's  choice  operator  and  the  more  complex  communication  primitives  of  the 
synchronous  7r~calculus.  We  give  a  proof  of  adequacy  for  the  latter  encoding. 

Miller  [Mil92]  has  also  investigated  the  relationship  between  the  7r-calculus  and  linear 
logic.  He  interprets  7T-calculus  expressions  directly  as  logical  operators  in  classical  (multiple 
conclusion)  linear  logic  as  opposed  to  our  intuitionistic  logic.  He  gives  three  slightly  different 
translations  of  the  synchronous  7r-cal  cuius,  although  none  of  them  to  correspond  exactly  to 
Milner's  calculus.  In  contrast,  we  are  able  to  represent  Milner’s  calculus  exactly  (as  well 
as  a  number  of  variants  including  the  asynchronous  7r-calculus)  and  give  a  detailed  proof 
of  adequacy.  On  the  other  hand,  we  only  encode  the  syntax  and  operational  semantics 
of  the  7r-calculus  whereas  Miller  also  investigates  notions  of  observational  equivalence  in  a 
restricted  calculus  in  which  no  values  are  passed  on  channels. 

The  notation  in  this  and  following  sections  is  somewhat  abbreviated  for  readability.  In 
particular,  we  omit  outermost  H-quantifiers  in  constant  declarations  in  a  signature.  These 
quantifiers  can  easily  be  reconstructed  by  an  implementation  of  CLF  along  the  lines  of 
Twelf  [PS99].  Whenever  we  omit  the  leading  n-quantifier  in  the  type  of  a  dependent 
function,  we  also  omit  the  corresponding  object  at  any  application  site  for  that  function. 
Once  again,  these  objects  can  be  inferred  by  an  implementation. 

We  also  write  A  o-  B  for  B  -o  A  and  A  <—  B  for  B  — ►  A  if  we  would  like  to  emphasize 
the  operational  reading  of  a  declaration:  “ reduce  the  goal  of  proving  A  to  the  goal  of  proving 
J3”  along  the  lines  of  Lolli  [HM94]  or  LLF  [CP98]. 

3.1  The  Asynchronous  7r-calculus 

3.1.1  Syntax 

The  asynchronous  7r-calculus  has  a  simple  syntax  consisting  of  processes  ( P )  and  channels 
(u,  v ,  w). 

P,<2,P  0  |  (P  |  Q)  |  newuP  |  IP  \  u(v).P  |  u(v) 

Channels  are  conduits  that  can  be  used  to  pass  values  between  processes.  In  our  simple 
language,  the  only  values  are  channels  themselves.  A  process  may  be  an  instruction  to  do 
nothing  (0)  or  an  instruction  to  execute  two  processes  P  and  Q  in  parallel  (P  \  Q).  The 
process  new  uP  restricts  the  scope  of  the  channel  u  to  the  process  P  and  the  process  IP 
acts  as  an  unlimited  number  of  copies  of  P.  All  communication  occurs  via  input  and  output 
processes.  The  output  process,  u(v),  sends  the  message  v  on  channel  u.  The  corresponding 
input  process,  u(w).P ,  substitutes  the  output  v  for  w  in  the  body  of  P. 

Representation  Following  the  standard  LF  representation  methodology  {HHP93],  we 
represent  the  7r-calculus’s  two  syntactic  classes  with  two  new  CLF  types. 
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chan  :  type, 
expr  :  type. 

Next,  we  represent  the  processes  themselves  as  objects  with  type  expr.  Our  representa¬ 
tion  will  use  higher-order  abstract  syntax  [PfeOlb]  to  represent  the  bound  variable  v  in  the 
restriction  newuP  and  in  the  input  process  u(v).P. 


0 

expr. 

par 

expr  — »  expr  — ♦  expr. 

new 

(chan  — »  expr)  — *  expr. 

! 

expr  expr. 

out 

chan  -»  chan  — ►  expr. 

in 

chan  — >  (chan  — >  expr) 

The  representation  function  r-~1  maps  7r-calculus  processes  into  CLF  objects  with  type 
expr. 

rCP  =  0 

rP  |  Q-'  =  par  rP -1  rQ n 
rnew  uP"1  =  new  (Xu.  rP“l) 

HP"1  =  rep  rPn 
ru(v)~)  =  out  U  V 
ru(v).Pn  —  in  u  ( Xv .  rP~}) 


3.1.2  Operational  Semantics 

The  operational  semantics  of  the  7r-cal cuius  consists  of  two  parts.  First,  a  structural  congru¬ 
ence  relation  divides  the  set  of  processes  into  congruence  classes.  The  operational  semantics 
does  not  distinguish  between  processes  in  the  same  class.  For  example,  running  the  null 
process  in  parallel  with  P  is  equivalent  to  running  P  by  itself.  Similarly,  IP  is  equivalent 
to  running  arbitrarily  many  copies  of  P  in  parallel  with  \P.  When  P  is  equivalent  to  Q  we 
write  P  =  Q.  The  complete  rules  for  structural  congruence  are  presented  below. 

P\Q  =  Q\P  (P\Q)\R  =  P\(Q\R)  0|P  =  P 

_ _ _ — - -  * 

0  =  newuO  P  |  (newuQ)  =  newu(P  |  Q) 

newu(newuP)  =  newu  (newuP) 

!P  =  P  |  !P 

P  =  Q  P  =  Q  Q  =  R 

P  =  P  Q  =  P  P  =  R 

p  =  p'  P  =  P'  P  =  P' 

P  \  Q  =  P'  \Q  new  u  P  =  new  u  P'  !P  =  \P' 

P  =  P; 

u(v).P  =  u(v).P' 
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*  The  variable  u  is  not  free  in  P. 


A  second  relation,  P  — >  Q,  describes  how  actual  computation  occurs.  There  is  one 
central  rule  that  describes  how  input  and  output  processes  interact: 


u(w).P  |  u(v)  — »  \v/w\P 


The  other  rules  that  govern  the  relation  P  — »  Q  either  accommodate  the  structural 
congruence  relation  or  allow  communication  to  occur  within  the  scope  of  a  new  channel 
name  or  in  parallel  with  an  inactive  process. 

P  =  P'  P'  — *  Q'  Q'  =  Q 
P  — ♦  Q 


p  — >  p>  p  — >  p' 

new  u  P  — ♦  new  uP'  P  \  Q  — »  P'  |  Q 

We  extend  this  single-step  relation  to  a  multi-step  relation  P  — >*  Q  through  the  fol¬ 
lowing  rules. 


P  =  Q  P  — >  Q  Q—>*R 

p  - Q  P - R 


Representation  At  a  coarse  level  a  sequence  of  transitions  in  the  7r-calculus  will  be 
represented  by  a  sequence  of  nested  let-expressions  in  CLF,  terminating  in  a  unit  element. 

T;  A  h  (let  {pi}  =  i?i  in  let  {p^}  =  R2  \n  T 

Here  T  contains  declarations  for  channels  it: chan  and  replicable  processes  r:proc  P, 
while  A  contains  x^proc  Q  for  all  other  processes  active  in  the  initial  state.  The  goal  type 
T  allows  the  computation  to  stop  at  any  point,  modeling  the  multi-step  reaction  relation. 
The  computation  steps  consist  of  the  atomic  object  i?i  consuming  part  of  A  and  replacing 
it  with  new  variables  via  the  pattern  p\ ,  and  so  on. 

More  precisely,  the  CLF  expressions  consist  of  two  alternating  phases.  In  the  first  phase, 
expression  decomposition ,  a  sequence  of  CLF  let-expressions  will  decompose  a  7r-calculus 
expression  into  CLF  connectives.  For  example,  the  null  process  0  will  be  interpreted  as  the 
CLF  connective  1  and  the  parallel  composition  |  will  be  interpreted  as  <g>.  The  decomposed 
fragments  accumulate  in  the  contexts. 

In  the  second  phase,  the  CLF  connectives  interact  according  to  the  rules  of  linear  logic. 
The  decomposition  is  such  that  the  resulting  contexts  naturally  obey  the  correct  struc¬ 
tural  congruences,  at  least  at  the  shallow  level.  For  example,  the  implicit  associativity 
and  commutativity  of  contexts  mirrors  the  structural  congruences  associated  with  parallel 
composition. 

To  make  these  ideas  precise  in  the  framework,  we  begin  by  defining  a  type  family  for 
undecomposed  7r-calculus  expressions. 

proc  :  expr  —*  type. 
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Next,  we  specify  rules  for  interpreting  the  various  7r-calculus  instructions.  For  example, 
the  exit  rule  interprets  the  null  process  as  the  multiplicative  unit  1. 

exit  :  procO-o{l}. 

The  following  derivation  shows  the  action  of  this  rule. 


£ 

r;Ah£^T 

V  T;  A;  •  I-  -E  <—  T 

T;  x^proc  0  h  exit\  {1}  T;  A;  ltl  h  E  <—  T 
T;  AjX'-'proc  0 1-  let  {1}  =  exit'Sc  in  E  <—  T 

Notice  that  the  pattern  1  1 1  simply  disappears.  Hence,  the  null  process  has  no  effect, 
as  it  should. 

fork  :  proc  (par  P  Q) -o  {proc  P®  proc  Q}. 

The  fork  rule  interprets  parallel  composition  as  the  tensor  product  of  the  two  processes. 
When  the  tensor  pattern  is  eliminated,  two  assumptions  x  *  proc  P,y*  proc  Q  will  remain 
in  the  context.  Since  CLF  is  insensitive  to  the  order  in  which  these  assumptions  appear  in 
the  context,  either  P  or  Q  may  be  interpreted  next.  We  may,  therefore,  think  of  P  and  Q 
as  two  concurrent  processes  waiting  in  parallel  in  the  CLF  context. 

We  interpret  the  process  new  uP  using  an  existential  type. 

name  :  proc  (new  (Au.  P  u))  -o  (3u : chan,  proc  (P  u)}. 

The  elimination  rule  for  existentials  guarantees  that  a  fresh  name  u  will  be  added  to 
the  CLF  context  when  it  is  eliminated  and  hence  u  may  only  appear  in  P,  as  is  required 
by  the  7r-calculus  scope  restriction  operator. 

The  process  rep  P  acts  as  arbitrarily  many  copies  of  P  in  parallel.  We  model  this 
behavior  using  the  exponential  connective. 

promote  :  proc  (rep  P)  -o  (!(proc  P)}. 

Finally,  we  come  to  the  communication  primitives.  Output  is  straightforward:  It  asyn¬ 
chronously  places  its  message  on  the  network  using  an  auxiliary  predicate.  An  input  u(w).P , 
on  the  other  hand,  is  more  complex.  We  interpret  it  as  a  linear  function  that  consumes 
network  messages  v  on  channel  u  and  produces  a  new  undecomposed  process  P  with  v 
replacing  w. 

msg  :  chan  — ♦  chan  — >  type. 

outp  :  proc  (out  U  V)  -o  {msg  U  V}. 

inp  :  proc  (in  U  (Aw.  P  w)) -o  {IIv:chan.  msg  U  v -o  {proc  (P  v)}}. 
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3.1.3  Alternate  Encodings 

Wherever  possible  we  have  tried  to  encode  7r-calculus  processes  using  the  CLF  logical  op¬ 
erators  directly.  This  approach  demonstrates  the  power  of  our  framework  and  elucidates 
the  connection  between  the  asynchronous  7r-calculus  and  linear  logic.  However,  in  sev¬ 
eral  cases  there  are  other  possible  choices.  For  example,  we  might  have  left  proc  (rep  P) 
as  an  uninterpreted  linear  assumption  and  added  an  explicit  copy  rule  to  mirror  process 
replication: 

copy  :  proc  (rep  P)  -o  {proc  (rep  P)  <g>  proc  P}. 

We  also  might  have  chosen  to  leave  both  input  and  output  processes  uninterpreted  and 
to  add  an  explicit  rule  for  reaction. 

react  :  proc  (in  U  (Aw.  P  w))  — o  proc  (out  U  V)  -o  {proc  (P  V)}. 

A  Non- Encoding  In  our  first  attempt  to  encode  the  7r-calculus,  the  rules  for  interpreting 
7r-calculus  expressions  took  a  slightly  different  form.  Each  rule  mapped  computations  to 
computations  as  follows: 

exit'  :  {proc  0}  -o  {1}. 

fork'  :  {proc  (par  P  Q)}  -o  {proc  P  ®  proc  Q}. 

This  representation  leads  to  too  many  CLF  computations,  some  of  them  nonsensical. 
For  example,  there  are  suddenly  several  different  computations  that  interpret  the  process 
0  |  0  including 

xtproc  (par  0  0)  I-  let  {xi  <8>  X2}  =  fork'A{x}  in 
let  {1}  =  exit,A{xi}  in 
let  {1}  =  exit,A{x2}  in  ()  <—  T 

x^proc  (par  0  0)  h  let  {xj  <81x2}  =  fork'A{x}  in 

let  {1}  =  exit' A{ let  {1}  =  exit,A{x2)  in  xi)  in  ()  ♦—  T 

In  the  second  computation,  the  argument  of  exit'  is  itself  a  computation,  independent 
of  the  mainline.  It  was  unclear  what  such  tree-like  computations  might  mean  or  how  they 
might  relate  to  the  operational  semantics  of  the  7r-calculus.  Consequently,  we  changed  our 
encoding  and  took  great  care  to  use  monadic  encapsulation  to  control  the  structure  of  our 
proofs  properly. 

3.2  The  Synchronous  7r-Calculus 

The  synchronous  7r-calculus  adds  two  main  features  to  the  asynchronous  7r-calculus,  syn¬ 
chronous  communication  and  a  nondeterministic  choice  operator.  In  our  next  encoding,  we 
use  the  synchronous  connectives  of  linear  logic  to  represent  parallel  composition,  replicated 
processes  and  name  restriction  in  conjunction  with  the  asynchronous  connectives  of  linear 
logic  to  select  and  synchronize  input  and  output  processes  given  a  series  of  nondeterministic 
choices. 
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3.2.1  Syntax 

In  the  syntax  of  the  synchronous  7r-calculus,  we  replace  the  input  and  output  processes  from 
the  asynchronous  calculus  with  a  nondeterministic  choice  of  processes  M .  The  null  process 
is  now  defined  to  be  the  empty  choice.  Each  element  of  the  nondeterministic  choice  (also 
called  a  sum)  is  an  action  which  may  be  silent  (r.P),  an  input,  or  an  output.  Notice  that 
outputs  ( u(v).P )  are  considered  synchronous  because  they  wait  on  u  until  they  react  with 
an  input  and  only  at  that  point  proceed  to  execute  the  process  P. 


Process  Expressions  P 

::=  (P  |  Q)  |  newuP  |  \P  |  M 

Sums  M 

0  |  c  +  M 

Actions  c 

::=  r.P  |  u(v).P  \  u{v).P 

Representation  We  represent  the  four  syntactic  classes  of  the  synchronous  7r-calculus 

with  four  CLF  types. 

chan 

:  type. 

expr 

:  type. 

sum 

:  type. 

act 

:  type. 

The  process  expressions  themselves  are  represented  as  objects  of  type  expr,  sums  by 
objects  of  type  sum  and  actions  by  objects  of  type  act.  As  before,  we  represent  every 
channel  it  by  a  corresponding  unrestricted  variable  u:chan  of  the  same  name. 


par 

expr  — >  expr  —>  expr. 

new 

(chan  — >  expr)  expr. 

rep 

expr  — ►  expr. 

sync 

sum  — »  expr. 

null 

sum. 

alt 

:  act  —>  sum  — >  sum. 

silent 

expr  — ►  act. 

in 

chan  —v  (chan  — ►  expr)  act. 

out 

chan  — >  chan  “4  expr  — »  act. 

The  representation  function  r-"1  maps  process  expressions  into  CLF  objects  with  type 
expr,  rr-'n  maps  sums  into  CLF  objects  with  type  sum,  and  nr-"rT'  maps  actions  into  CLF 
objects  with  type  act.  As  in  the  previous  encoding,  it  uses  higher-order  abstract  syntax  to 
represent  the  bound  variable  v  in  the  restriction  new  v  P  and  in  the  input  process  u(v).P. 
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rP  |  Qn  =  par  rP^  rQ"1 
rnewuPn  =  new  (Xu.  rP~l) 
HP-1  =  rep  rP'1 
rMn  =  sync  n~M~n 


ir0"n  =  null 

rc  +  M"11  =  alt  ITrc~ni  irM~n 


nrT.p-m  =  sj|ent  rpi 

m"u(v).P'TT1  =  in  u  (Au.  rP"1) 
nru(v).P~m  '=  out  u  v  rP'1 


3.2.2  Operational  Semantics 

To  define  the  structural  congruence  relation  P  =  Q  for  the  synchronous  7r-calculus,  we 
adopt  all  the  rules  from  the  asynchronous  calculus  except  for  the  rules  governing  input  and 
output  (whose  form  has  changed)  and  augment  them  with  the  following  rules  for  sums  and 
actions: 

esc'  M  =  M' 

c  +  M  =  c'  +  M  c  +  M  =  c  +  M'  c\  4-  C2  +  M  =  C2  +  c\  +  M 

p  =  pr  p  =  p[  p  =  p!_ 

T.P  =  T.P'  u(v).P  =  u(v).P'  Vi(v).P  =  u(v).P' 

The  additional  rules  ensure  that  our  relation  is  a  congruence  relation  over  sums  and 
actions,  and  moreover  that  the  order  of  elements  in  a  sum  is  inconsequential. 

With  the  addition  of  silent  actions,  there  are  now  two  non-trivial  reaction  rules.  The  first 
rule  selects  the  action  r.P  from  a  sum  and  continues  with  P,  throwing  away  the  unchosen 
elements  of  the  sum.  The  second  rule  selects  an  input  process  u(v).P  from  one  sum  and 
an  output  process  u(w).Q  from  another.  The  two  processes  synchronize  as  the  value  w  is 
passed  from  output  to  input  and  the  computation  continues  with  [ w/v\P  |  Q. 

r.P  +  M  — -+  P  ( u(v).P  +  M)  |  ( u(w).Q  +  N)  — >  [' w/v]P  \  Q 

As  before,  the  rules  above  may  be  used  under  a  channel  name  binder  or  in  parallel 
with  another  process.  The  relation  P  — >*  Q  is  the  reflexive  and  transitive  closure  of  the 
one-step  reaction  relation. 

Representation  Once  again,  we  define  a  type  family  for  undecomposed  7r-calculus  ex¬ 
pressions  and  interpret  parallel  composition,  name  restriction  and  replication  as  before. 


proc 

:  expr  — » type. 

fork 

:  proc  (par  P  Q)  -o  {proc  P  ®  proc  Q}. 

name 

:  proc  (new  (Au.  P  u))  -o  {3u  :chan.  proc  (P  u)} 

promote 

:  proc  (rep  P) -o  {!(proc  P)}. 
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A  sum  represents  a  non-deterministic,  possibly  synchronized  choice.  We  therefore  intro¬ 
duce  a  new  type  family  to  represent  a  sum  waiting  to  react,  and  a  decomposition  rule  for 
the  sync  coercion. 

choice  :  sum  — » type. 

suspend  :  proc  (sync  M)  -o  {choice  M}. 

The  degenerate  case  of  a  sum  is  the  null  process.  As  before,  it  has  no  effect  and  it  is 
interpreted  as  the  multiplicative  unit  1. 

exit  :  choice  null  -o  {1}. 

The  more  interesting  reaction  rules  fall  into  two  families.  The  first  family  non-deterministically 
selects  a  particular  guarded  process  from  a  sum.  It  does  not  refer  to  the  state  and  therefore 
is  neither  linear  nor  monadic.  Intuitively,  it  employs  don’t-know  non-determinism  and  could 
backtrack,  unlike  the  other  rules  that  are  written  with  don’t-care  non-determinism  in  mind. 

select  :  sum  —►act  — ►  type. 

this  :  select  (alt  C  M)  C. 

next  :  select  M  C  — ►  select  (alt  C  M)  C. 

The  second  family  selects  the  guarded  processes  to  react  and  operates  on  them  to  per¬ 
form  the  actual  reaction  step.  For  an  silent  action  we  simply  select  a  guarded  process  with 
prefix  r  from  a  suspended  sum.  For  a  communication,  we  select  two  matching  guarded 
processes  from  two  different  suspended  sums. 

internal  :  choice  M  —©select  M  (silent  P)  — *  (proc  P}. 
external  choice  Mi —o  choice  M2— ° 

select  Mi  (in  U  (Awrchan.  P  w))  — >  select  M2  (out  UVQ)  -+ 

{proc  (par  (P  V)  Q)}. 

Note  that  substitution  [w/v\P  in  the  reaction  rule  (u(v).P  +  M )  |  (u{w).Q  +  N)  — > 
[w/v]P  |  Q  is  accomplished  by  a  corresponding  substitution  in  the  framework,  which  takes 

place  when  the  canonical  substitution  of  a  process  expression  Xv - for  P:chan  -*  expr  is 

carried  out.  This  is  a  minor  variant  of  a  standard  technique  in  logical  frameworks. 

3.2.3  Adequacy 

The  representation  of  the  syntax  of  the  synchronous  7r-calculus  uses  higher-order  abstract 
syntax  and  other  well-known  strategies  from  the  standard  LF  representation  methodology 
[HHP93].  Consequently,  it  should  come  as  no  surprise  that  our  representation  of  the  syntax 
of  7r-calculus  is  adequate. 

Theorem  1  (Adequacy  of  Representation  of  Syntax).  Let  T  =  u\  :chan, . . .  ,un  :chan. 

a)  T;  A  h  N  <=  expr  iff  N  =  rP~*  where  P  may  contain  u\.  ..un. 

b)  T;  A  I-  N  <=  sum  iff  N  =  ""AT71  where  M  may  contain  u\. .  .un. 
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c)  T;  A  1-  N  <=  act  iff  N  —  where  c  may  contain  u\  . . .  un. 

d )  The  representation  function  is  a  compositional  bisection. 

Proof.  Standard  techniques  from  LF  representation  methodology  [PfeOlb].  □ 

On  the  other  hand,  our  representation  of  concurrent  computations  employs  a  number  of 
new  techniques  and  the  adequacy  proof  is  somewhat  more  involved.  Here,  we  sketch  of  the 
main  components  of  the  proof.  The  interested  reader  may  examine  Appendix  B  for  further 
details. 

We  begin  by  defining  the  CLF  contexts  that  may  arise  during  a  concurrent  computation. 
Notice  that  the  possibilities  for  contexts  are  really  quite  limited.  They  are  limited  to 
the  natural  representations  of  channels,  replicated  processes,  unreplicated  processes  (which 
may  be  further  decomposed)  and  sums  waiting  to  react.  If  it  were  not  for  the  monadic 
encapsulation,  we  would  have  to  deal  with  the  possibility  that  the  context  contains  partial 
applications  of  curried  rules  such  as  internal  and  external.  In  order  to  deal  with  such  partial 
applications,  one  would  have  to  complicate  the  notion  of  adequacy  (if  indeed  there  is  a 
notion  of  adequacy  that  makes  sense)  and  consider  many  more  possible  cases  during  the 
proof.  Here,  and  in  the  rest  of  this  section,  we  collapse  the  two  parts  of  the  context  V 
and  A  into  a  single  context  T  for  the  sake  of  brevity.  We  are  still  able  to  distinguish 
unrestricted  assumptions  u:A  from  linear  assumptions  x*A  by  their  syntax.  Hence,  there 
is  no  fundamental  change  to  the  type  theory. 

Definition  2  (General  Contexts  T).  T  ::=  .  |  T,w:chan  |  r,t/:proc  P  |  T,x^proc  P  \ 
r,.rtchoiceM 

Next,  we  define  a  relation  P  < — »  T  between  processes  P  (modulo  the  structural  con¬ 
gruence  relation)  and  contexts  T.  . 

Definition  3  (Representation  Relation).  P  < — *  T  if  and  only  if  lFj  =  Q  and  Q  =  P 
where  lTj  is  the  inverse  of  the  representation  function  r-_l. 

Informally,  our  adequacy  theorem  will  state  that  related  objects  step  to  related  objects. 
In  other  words,  we  will  show  that  if  P  « — >  T  then  P  steps  to  Q  if  and  only  if  T  steps  to 
r;  and  Q  < — *  T'.  However,  in  order  for  this  statement  to  make  any  sense  we  will  have  to 
define  an  appropriate  notion  of  “steps  to”  on  contexts.  Unfortunately,  we  cannot  directly 
relate  one  CLF  computation  step  to  one  step  in  the  7r-calculus  since  process  decomposition 
steps  (exit,  fork,  new,  etc.)  have  no  7r-calculus  analogue. 

To  handle  this  discrepancy,  we  will  define  three  relations  on  CLF  contexts.  The  first, 
T,  E  =p=>5  F',  models  the  structural  congruence  relation  of  the  7r-calculus.  The  computation 
E  is  a  series  of  process  decomposition  steps  that  will  break  down  the  structure  of  the 
context  T  and  produce  context  r'.  The  second  relation,  T,  E  F',  models  the  single-step 
reduction  relation.  Here,  E  is  a  series  of  process  decomposition  steps  followed  by  a  single 
reaction  rule,  either  internal  or  external.  It  reflects  the  fact  that  our  CLF  computations  are 
arranged  in  two  alternating  phases.  Finally,  T,E  ==>*  T/  is  the  reflexive  and  transitive 
closure  of  T,  E  =>  T'.  It  models  the  multi-step  reduction  relation.  All  three  relations  make 
use  of  the  following  primitive  notion  of  equality  on  CLF  contexts. 
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Definition  4  (Context  Equivalence).  Let  assumptions  of  the  form  xlA  be  either  linear 
or  unrestricted  assumptions. 

r, 7Fa, yw, r  =  r, yw, xTa, r  X^B^^A 

r.utchan.r'sr.r'  u^r>r  f=T 

We  will  also  employ  the  following  notation  for  composing  computations. 

Definition  5  (Composition  of  Computations  E(E')).  The  composition  of  two  computa¬ 
tions  E  and  E'  viith  type  T,  denoted  E(E'),  is  the  computation  that  results  from  substituting 
E'  for  the  terminal  {)  in  E. 

Definition  6  (Representation  of  structural  equivalence  =>*).  F\,E  =>s  Fk  if 

1.  E  =  ()  and  Fi  =  Tfc,  or 

2.  E  =  let  {p}  =  R  in  ()  and  there  is  a  normal  derivation  of  the  following  form: 

r2 1-  £/  <—  t 

Ti  h  let  {p}  =  R  in  E'  <-  T 

and  r2,  E' 

and  R  is  one  of  the  following  atomic  forms  (where  we  let  x  range  over  either  linear 
or  unrestricted  variables): 

exitAa:  forkAa;  nameAx  promoted  suspendAa: 

Definition  7  (Representation  of  Single-Step  Reduction  =>).  To,  £'(let  {p}  =  R  in  ())  => 
r2  iffFo,E=^sFi  and 

r2i-()^T 

Ti  1-  let  {p}  =  R  in  ()  <—  T 

and  r2  =  and  R  is  one  of  the  following  atomic  forms  (where  we  let  x,  x\,  x2  range  over 
either  linear  or  unrestricted  variables): 

external AiJV  internalAxi  Aa;2  Ni  N2 

and  N,Ni,N2  "=  this  |  nextiV 

Definition  8  (Representation  of  multi-step  reduction  ==>*).  =>*  Tfc  iff 

1.  Fi^E^^sFk 

2.  E  =  E\{E%)  and  Fj,  E\  =$■  T2  and  T2,  E2  =>*  Tfc. 

We  are  now  in  a  position  to  state  our  adequacy  results  for  computations. 


r.r'  =  Fjuxhan.r' 

p  p//  j-i//  __  p/ 

fir 
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Theorem  9  (Adequacy  of  Representation  1). 

1.  IfT,  E  =$>s  r'  and  P  < — ♦  T,  then  P  * — ♦  T'. 

2.  IfT,E=>  T'  and  P  * — >  T,  then  P  —>  Q  and  Q  < — ♦  T'. 

3.  IfT,E=$>*  r  and  P  < — *  T,  then  P  — **  Q  and  Q  < — ♦  T' . 

Theorem  10  (Adequacy  of  Representation  2). 

1.  If  P  =  Q  and  P  * — »  T,  then  Q  * — »  T. 

2.  If  P  < — >  T  and  P  —>  Q,  then  there  exists  E  and  T'  such  that  T,E  =s>T'  and  Q  * — +  r'. 

3.  If  P  * — >  r  and  P  — >*  Q,  then  there  exists  E  and  T'  such  that  T.  E  =>*  T'  and 

q  » r. 

The  proof  of  Adequacy  1  is  by  induction  on  the  structure  of  the  computation  E  in  each 
case.  The  proof  of  Adequacy  2  proceeds  by  induction  on  the  process  relation:  on  P  =  <5  in 
part  (1 );  induction  on  P  — >Q  in  part  (2)\  and  induction  on  P  — ►*  Q  in  part  (5).  Please 
see  Appendix  B  for  details. 

4  Concurrent  ML  in  CLF 

In  this  section  we  give  a  representation  of  Mini-ML  in  CLF  with  various  advanced  features. 
This  encoding  shows  how  the  concurrency  features  can  be  used  for  a  variety  of  purposes, 
including  specifying  a  sequential  semantics,  lazy  evaluation,  and  synchronous  process  com¬ 
munication  in  the  style  of  Concurrent  ML  [Rep99].  It  also  shows  how  representations  can 
exploit  features  of  LF  (dependent  types)  and  LLF  (asynchronous  linear)  in  CLF,  which 
adds  synchronous  linear  connective  to  LLF. 

4.1  Destination-Passing  Style 

Our  formulation  of  Mini-ML  distinguishes  between  expressions  and  values,  which  is  conve¬ 
nient  particularly  when  we  come  to  the  description  concurrently.  Furthermore,  the  repre¬ 
sentation  is  intrinsically  typed  in  the  sense  that  only  Mini-ML  expressions  and  values  that 
are  well-typed  in  Mini-ML  will  be  well-typed  in  the  framework.  So  we  have  a  CLF  type  tp 
for  Mini-ML  types,  and  CLF  types  exp  T  and  val  T  for  Mini-ML  expressions  and  values  of 
type  T,  respectively.  These  type  families  are  declared  as  follows. 


tp 

type. 

exp 

tp  — >  type. 

val 

tp  — *  type. 

The  first  novelty  of  our  representation  of  evaluation  is  the  pervasive  use  of  destination¬ 
passing  style.  This  is  a  convenient  way  to  avoid  the  use  of  explicit  continuations  or  evaluation 
contexts  which  simplifies  the  description  of  concurrency.  It  also  makes  the  whole  description 
moi'e  modular.  So  we  have  types  dest  T  for  destinations  of  type  T .  Note  that  initially  there 
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are  no  destinations;  they  are  all  created  (as  parameters)  during  evaluation.  In  that  sense 
they  are  similar  to  locations  in  Mini-ML  with  references  [CP98],  although  they  are  not 
necessarily  imperative. 

There  are  two  basic  type  families  to  describe  the  operational  semantics,  eval  E  D  which 
evaluates  E  with  destination  D,  and  return  V  D  which  returns  the  value  V  to  destination  D. 
The  types  of  the  expressions,  values,  and  destinations  must  match.  Therefore  we  declare: 


dest  :  tp  — >  type. 

eval  :  exp  T  — ►  dest  T  — >  type. 

return  :  val  T  — ►  dest  T  — >  type. 


Without  effects,  the  behavior  of  eval  and  return  is  as  follows.  If  we  have  the  linear  as¬ 
sumption  e'-'eval  E  D  for  a  given  expression  E  and  destination  D,  then  there  is  a  computation 
to  r^return  V  D  if  and  only  if  the  evaluation  of  E  yields  V.  More  generally,  if  we  have  some 
initial  state  represented  as  T;  A  then  F;  A, e^eval  E  D  computes  to  1^;  A  ,r:return  V  D, 
where  T'  and  A'  model  the  effects  of  the  evaluation  of  E  and  other  possibly  concurrent 
computations. 


evaluate  :  exp  T  — *  val  T  — *  type, 
run  :  evaluate  E  V 

o-(IId:dest  T.  eval  E  d  -o  {return  d  V  <g>  T}). 


4.2  Sequential  Functional  Programming 

We  now  introduce  a  number  of  concepts  in  a  completely  orthogonal  manner.  With  few 
exceptions,  they  are  organized  around  the  corresponding  types. 

Values.  In  surface  expressions,  we  only  need  to  allow  variables  as  values.  This  avoids 
ambiguity,  since  we  do  not  need  to  decide  if  a  given  term  should  be  considered  a  value  or  an 
expression  when  writing  it  down.  However,  we  do  not  enforce  this  additional  restriction 
this  could  be  accomplished  by  introducing  a  separate  type  var  T  for  variables  of  type 
T.  Instead,  we  allow  every  value  as  an  expression.  The  corresponding  coercion  is  value. 
Evaluating  an  expression  value  V  returns  the  value  V  immediately. 

value  :  val  T  — >  exp  T. 

ev.value  :  eval  (value  V)  D  -o  {return  V  D}. 

Recursion.  Recursion  introduces  no  new  types  and  no  new  values.  It  is  executed  simply 
by  unrolling  the  recursion.  This  means,  for  example,  that  fix(Au.  u)  is  legal,  but  does  not 
terminate. 

fix  :  (exp  T  — >  exp  T)  — >  exp  T. 

evJix  :  eval  (fix  (Au.  E  u))  D  -o  {eval  (E  (fix  (Au.  E  u)))  D). 
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Definitions.  Computation  can  be  explicitly  staged  via  definitions  by  let.  Unlike  ordi¬ 
nary  ML,  we  do  not  tie  properties  of  polymorphism  to  definitions,  but  prefer  explicit  type 
abstractions  and  applications.  Inference  or  reconstruction  is  considered  a  property  of  the 
concrete  syntax,  and  not  the  internal  operational  semantics  of  ML  we  are  specifying  here. 

let  :  exp  T  — >  (val  T  -»  exp  S)  — ►  exp  S. 
ev.let  :  eval  (let  Ei  (Ax.  E2  x))  D 

-o  (3dj  :dest  T.eval  Ei  d] 

<g>  (nVi  :val  T.  return  Vi  di  -o  {eval  (Ei  Vi)  D})}. 

Note  that  we  use  substitution  instead  of  an  explicit  environment  in  order  to  bind  a 
variable  to  a  value.  This  does  not  lead  to  re-evaluation,  since  there  is  an  explicit  coercion 
from  values  to  expressions.  It  would  be  straightforward  to  design  a  lower-level  encoding 
where  the  bindings  of  variables  to  values  are  modeled  through  the  use  of  destinations. 

Also  note  how  we  use  a  linear  assumption 

e  t  IIVi :  val  T.  return  Vj  di  -o  {eval  (E2  Vi)  D) 

in  order  to  sequence  Mini-ML  computation  explicitly:  the  evaluation  of  the  body  E2  of 
the  mllet  expression  can  not  continue  until  the  the  expression  Ei  has  finished  computing  a 
value  Vi. 

The  higher-order  nature  of  the  encoding  could  be  avoided  by  introducing  either  a  new 
kind  of  intermediate  expression  or  type  family.  In  that  case  the  signature  looks  more  flat, 
in  the  style  of  an  abstract  machine. 

Natural  Numbers.  There  is  nothing  particularly  surprising  about  the  representation. 
We  introduce  both  new  expressions  and  new  values.  During  evaluation  of  the  case  construct 
we  have  to  choose  one  branch  or  the  other,  but  never  both.  This  is  represented  naturally 
by  the  use  of  an  additive  conjunction  &  in  the  encoding. 

nat  :  tp. 

z  :  exp  nat. 

s  :  exp  nat  — ►  exp  nat. 

case  :  exp  nat  — >  exp  T  — » (val  nat  — >  exp  T)  — *  exp  T. 

z'  :  val  nat. 

s'  :  val  nat  — >  val  nat. 

ev_z  :  eval  z  D  — o  {return  z'  D}. 
ev_s  :  eval  (s  Ei)  D 

-o  {3di  :dest  nat.  eval  Ej  dj 

18)  (ITVi  :val  nat.  return  Vi  di  -o  {return  (s'  Vj)  D})}. 
ev.case  :  eval  (case  Ei  E2  (Ax.  E3  x))  D 
-o{Edi:dest  nat. eval  Ei  di 

<g>  ((return  z'  di  -o  {eval  E2  D}) 

&  (ITV'j  :exp  nat.  return  (s'  V'i)  di  -o  {eval  (E3  V'j)  D}))}. 
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Functions.  Again,  the  use  of  higher-order  abstract  syntax  and  substitution  makes  this 
quite  simple.  As  before,  we  specify  explicitly  that  the  function  has  to  be  evaluated  before 
the  argument  in  an  application.  Concurrency  or  parallelism  will  be  introduced  explicitly 
later. 

arrow  :  tp  — » tp  — ♦  tp. 

lam  :  (val  T2  -»  exp  Ti)  -»  exp  (arrow  T2  Ti). 

app  :  exp  (arrow  T2  Ti) —»  exp  T2 —»  exp  Tj. 

lam'  :  (val  T2 —►  exp  Ti) —*  val  (arrow  T2  Ti). 

evJam  :  eval  (lam  (Ax.Ei  x))  D  -o  {return  (lam'  (Ax.Ei  x))  D}. 

ev_app  :  eval  (app  Ei  E2)  D 

-o  {3di  :dest  (arrow  T2  Tj).  eval  E]  di 

<g)  (riEj :  val  T2  -=>  exp  Ti.  return  (lam  (Ax.  E'j  x))  di 
-o  {3d2:dest  T2.eval  E2  d2 

<g>  (IIV2:val  T2.  return  V2  d2  -o  {eval  (Ej  V2)  D})})}. 

Pairs.  Are  included  here  for  completeness. 


cross 

tp  — ►  tp  — >  tp. 

pair 

exp  Ti  — ►  exp  T2  — >  exp  (cross  Ti  T2). 

fst 

exp  (cross  Ti  T2)  — »  exp  Tj . 

snd 

exp  (cross  Ti  T2)  — ►  exp  T2. 

pair' 

val  Ti  — »  val  T2  — ♦  val  (cross  Ti  T2). 

ev-pair 

eval  (pair  Ei  E2)  D 

-o  {3di  :dest  Ti.  eval  Ei  dj 

®  (ITVi  :val  Ti.  return  Vi  di 
— o  {3d2:dest  T2.eval  E2  d2 

®  (IIV2:val  T2.  return  V2  d2 

-o  {return  (pair'  Vi  V2)  D})})}. 

ev_fst  :  eval  (fst  Ei)  D 

-o  {3di:dest  (cross  Ti  T2).eval  Ei  di 

<g>  (IIVi:val  Ti.IIV2:val  T2.  return  (pair'  Vi  V2)  di 
-o  {return  Vi  D})}. 
ev_snd  :  eval  (snd  Ei)  D 

-o  {3di:dest  (cross  T]  T2).eval  Ei  di 

®(IIVi:val  Ti.IIV2:val  T2. return  (pair'  Vi  V2)  di 
-o  {return  V2  D})}. 

Unit.  A  unit  type  with  one  element  is  included  here  since  some  expressions  with  effects 
in  ML  return  a  unit  value. 
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one 

:  tp. 

unit 

:  exp  one. 

unit' 

:  val  one. 

ev_one 

:  eval  (unit)  D  -o  {return  (unit')  D} 

Polymorphism,  Sum  Types,  Void  Type,  Recursive  Types.  All  of  these  can  be 
added  orthogonally  and  straightforwardly  and  are  omitted  here. 


4.3  Suspensions  with  Memoization 

The  code  below  shows  a  technique  for  implementing  lazy  evaluation  in  the  style  of  Haskell. 
This  is  slightly  tricky,  because  the  first  time  a  suspension  is  accessed  has  be  behave  different 
from  any  future  time  it  is  accessed.  In  order  to  model  this  we  make  a  linear  assumption 
that,  when  consumed,  makes  an  unrestricted  assumption. 


susp  :  tp  — *■  tp. 

delay  :  exp  T  — ♦  exp  (susp  T). 

force  :  exp  (susp  T)  — »  exp  T. 

thunk  :  dest  T  — »  val  (susp  T). 

read  :  dest  T  — ►  dest  T  — » type 


ev.delay  :  eval  (delay  Ei)  D 

-o  {3  li  :dest  T.  return  (thunk  lj)  D 
®  (HD' :  dest  T.  read  li  D' 

-o  {3di :  dest  T.  eval  Ei  di 

®  (nVi  :val  T.  return  Vi  di 
— o  {return  Vi  D' 

®  !(IID":dest  T.  read  li  D"  -o  {return  Vi  D"})})})}. 

ev.force  :  eval  (force  Ei)  D 

-  -o  {3di  :dest  T.  eval  Ei  di 

®  (nLi  :dest  T.  return  (thunk  Li)  di  -o  {read  Li  D})}. 


4.4  State  and  Concurrency 

So  far,  we  have  considered  a  wide  range  of  pure,  sequential  programming  language  features. 
We  were  pleasantly  surprised  that  our  destination-passing  style  encoding  may  be  extended 
to  include  mutable  references  and  common  concurrency  primitives  as  well. 

Futures.  We  now  come  to  the  first  parallel  construct:  futures  in  the  style  of  MultiL- 
isp  [Hal85],  adapted  to  ML.  There  is  no  new  type,  since  a  future  can  be  of  any  type.  A 
destination  D  can  now  serve  as  a  value  (called  promise  D).  If  a  promise  is  ever  needed  it 
needs  to  be  available  from  then  on,  which  is  why  we  have  a  new  family  deliver  V  D  which 
delivers  value  V  to  destination  D  and  will  be  an  unrestricted  assumption. 
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Note  that  evaluating  future  Ei  immediately  returns  a  promise,  while  spawning  a  sepa¬ 
rate  thread  to  compute  Ei.  This  thread  cannot  communicate  with  other  processes  except 
through  the  final  value  it  might  deliver. 


future 

:  exp  T  — *  exp  T. 

promise 

:  dest  T  — ►  val  T. 

deliver 

:  val  T  — »  dest  T  — + 

evJuture 

:  eval  (future  Ei)  D 

-o  {3di  :dest  T.  return  (promise  di)  D 
<g>  eval  Ei  di 

®  (ITVi  :exp  T.  return  Vi  di  -o  {Ideliver  Vi  di})}. 

ret.deliver  :  return  V  D 

o-  return  (promise  Di)  D 
«—  deliver  VDi. 

In  the  last  clause  we  use  the  reverse  notation  for  implication  in  order  to  emphasize  the 
operational  reading  in  terms  of  backchaining.  Previously,  when  we  were  trying  to  prove 
return  V  D  for  some  given  destination  D,  we  would  only  succeed  if  it  were  directly  present 
in  the  state,  since  there  were  no  rules  concluding  return  V  D,  only  the  weaker  {return  V  D}. 

With  futures,  we  can  also  conclude  return  V  D  if  there  is  a  promise  promise  Di  with  the 
right  destination  D  that  has  delivered  its  answer  (and  therefore  the  unrestricted  assumption 
deliver  V  Di  is  available).  Because  futures  can  be  iterated,  delivering  the  results  could 
require  a  chain  of  such  inferences. 

We  find  it  remarkable  how  simple  and  modular  the  addition  of  futures  to  the  prior 
semantic  framework  turned  out  to  be. 

Mutable  References.  Mutable  references  in  the  style  of  ML  are  easy  to  add:  they  just 
become  linear  hypotheses.  The  only  novelty  here  is  the  higher-order  encoding  in  terms 
of  nested  assumptions;  otherwise  the  techniques  and  ideas  are  combined  from  LLF  and 
Forum.  New  with  respect  to  LLF  is  the  destination-passing  style  and  the  representation 
of  eval  and  return  as  assumptions  rather  than  goals.  New  with  respect  to  Forum  is  the 
monadic  encapsulation  and  the  presence  of  explicit  proof  terms. 
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tp  ->  tp. 

exp  T  — >  exp  (refT). 
exp  (ref  T)  ->  exp  T  -*■  exp  (one), 
exp  (ref  T)  — ♦  exp  T. 

dest  T  — >  val  (ref  T). 
dest  T  — ►  val  T  — ►  type. 

eval  (newref  Ei)  D 

-o  {3di:dest  T.  eval  Ei  di 

®  (nVi  :val  T.  return  Vj  di 

-o  {3c:dest  T.contains  c  Vi  ®  return  (cell  C)  D})}. 
ev_assign  :  eval  (assign  Ei  E2)  D 

-o  {3di:dest  (ref  T).eval  Ei  dj 

®  (IICi  :dest  T.  return  (cell  Ci)  di 
-o  {3d2: dest  T. eval  E2  d2 

®  (IIV2:val  T.  return  V2  d2 

-oIIVi:val  T.contains  Ci  Vi 

-o  {contains  Ci  V2  ®  return  (unit')  D})})}. 

ev.deref  :  eval  (deref  Ei)  D 

-o  {3di  :dest  (ref  T).  eval  Ei  dj 

®  (IICi : dest  T.  return  (cell  Ci)  di 
-ollViival  T.contains  Ci  Vi 

— o  {contains  Ci  Vi  ®  return  Vj  D})}. 


ref 

newref 

assign 

deref 

cell 

contains 

ev.newref 


If  our  language  contained  falsehood  (0)  and  disjunction  (A  ®  B),  there  would  be  an 
alternative  formulation  of  dereferencing  that  does  not  consume  and  the  re-create  the  linear 
assumption. 

ev_deref'  :  eval  (deref  Ei)  D 

-o  {3di  :dest  (ref  T).  eval  Ei  di 

®  (IICi  :dest  T.  return  (cell  Cj)  di 

-o  IIVi  :val  T.  {(contains  Ci  Vi  -o  {0})  ®  return  Vi  D})}. 


Concurrency.  We  now  give  an  encoding  of  Concurrent  ML  as  presented  in  [Rep99], 
omitting  only  negative  acknowledgments.  The  representation  can  be  extended  to  allow 
negative  acknowledgments  without  changing  its  basic  structure,  but  it  would  obscure  the 
simplicity  of  representation. 

We  have  two  new  type  constructors,  chan  T  for  channels  carrying  values  of  type  T,  and 
event  T  for  events  of  type  T. 

chan  :  tp  — ♦  tp. 
event  :  tp  — >  tp. 

Processes  are  spawned  with  spawn  E,  where  E  is  evaluated  in  the  new  process,  spawn 
always  returns  the  unit  value.  We  synchronize  on  an  event  with  sync.  The  primitive  events 
are  send  and  receive  events  for  synchronous  communication,  as  well  as  an  event  that  is 
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always  enabled.  In  addition  we  have  non-deterministic  choice  as  in  Milner’s  synchronous 
7r-calculus,  and  wrappers  that  can  be  applied  to  event  values.  We  avoid  the  usual  ML 
style  representation  where  unevaluated  expressions  of  type  T  are  presented  as  functions 
arrow  one  T.  Instead,  our  semantics  will  simply  not  evaluate  such  expressions  where  appro¬ 
priate.  This  leads  to  a  more  modular  presentation  of  the  language. 

exp  T  — >  exp  (one), 
exp  (event  T)  — >  exp  T. 

exp  (chan  T). 

exp  T  — ►  exp  (event  T). 
exp  (chan  T)  ->  exp  (event  T). 
exp  (chan  T)  -»  exp  T  ->  exp  (event  (one)), 
exp  (event  T)  — >  exp  (event  T)  — >  exp  (event  T). 

exp  (event  T).  \ 

exp  (event  T] )  — >  (val  Tj  — »  exp  T2)  —*  exp  (event  T2). 

Among  the  new  internals  we  find  event  values  corresponding  to  the  above  events,  plus 
channels  that  have  been  allocated  with  channel. 

ch 
chn 

alwaysEvt' 
recvEvt' 
sendEvt' 
choose' 
neverEvt' 
wrap' 

Finally,  we  come  to  the  operational  semantics.  There  is  a  new  type  family,  synch  W  D 
which  synchronizes  the  event  value  W.  The  expression  returned  by  the  synchronization  will 
eventually  be  evaluated  and  the  resulting  value  returned  to  destination  D. 

We  have  chosen  for  processes  that  return  to  be  explicitly  “garbage  collected”  in  the  rule 
for  spawn.  Unlike  for  futures,  the  returned  value  is  ignored. 

synch  :  val  (event  T)  — >  dest  T  — >  type. 

ev .spawn  :  eval  (spawn  Ej)  D 

-o  {return  (unit')  D 

®  (3di :  dest.  eval  Ei  di 

®  (nVi.  return  Vi  di -o  {1}))}. 
ev_sync  :  eval  (sync  Ei)  D 

-o  {3di:dest  (event  T).  eval  Ei  di 

<g>  (ITWi  :val  (event  T).  return  W]  di 
-o  {synch  Wi  D})}. 
ev.channel  :  eval  (channel)  D 

-o  {3K:chT.  return  (chn  K)  D}. 


tp  — ►  type. 

ch  T  — »  val  (chan  T). 

val  T  — *■  val  (event  T). 

val  (chan  T)  — ♦  val  (event  T). 

val  (chan  T)  ->  val  T  -»  val  (event  (one)). 

val  (event  T)  -»  val  (event  T)  — >  val  (event  T). 

val  (event  T). 

val  (event  Ti)  — ♦  (val  Ti  — ►  exp  T2)  — >  val  (event  T2). 


spawn 

sync 

channel 

alwaysEvt 

recvEvt 

sendEvt 

choose 

neverEvt 

wrap 
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The  rules  for  evaluating  events  are  straightforward,  since  they  simply  evaluated  the 
embedded  expressions  as  needed  and  return  the  corresponding  event  value. 

ev_alwaysEvt  :  eval  (alwaysEvt  Ei)  D 

-o  {3di  :dest  T.  eval  Ej  di 

<8  (nVi  :val  T.  return  Vi  di 

-o  {return  (alwaysEvt'  Vi)  di})}. 
ev.recvEvt  :  eval  (recvEvt  Ej )  D 

-o{3di:dest  (chan  T).  eval  Ei  di 
<8  (IIK:ch  T.  return  (chn  K)  di 

-o  {return  (recvEvt' (chn  K))  D})}. 
ev_sendEvt  :  eval  (sendEvt  Ei  E2)  D 

-o  {3di  :dest  (chan  T).  eval  Ei  di 
<g>  (IIK:ch  T.  return  (chn  K)  di 
-o  {3d2 :  dest  T.  eval  E2  d2 

<8  (IIV2:val  T.  return  V2  d2 

-o  {return  (sendEvt'  (chn  K)  V2)  D})})}. 
ev.choose  :  eval  (choose  Ei  E2)  D 

-o  {3di :  dest  (event  T).  eval  Ei  di 

(8>  (IIWi  :val  (event  T).  return  Wi  di 
-o  {3d2 :  dest  (event  T).  eval  E2  d2 

<8  (UW2 :  val  (event  T).  return  W2  d2 

-o  {return  (choose'  Wi  W2)  D})})}. 
ev.neverEvt  :  eval  (neverEvt)  D  -o  {return  (neverEvt')  D}. 
ev.wrap  :  eval  (wrap  Ei  (Ax.  E2  x))  D 

-o  {3di :  dest  (event  Ti).  eval  Ei  di 

(8  (IIWi  :va!  (event  Ti).  return  Wi  di 
-o  {return  (wrap'  Wi  (Ax.  E2  D})}. 

Finally,  we  come  to  event  matching  as  required  for  synchronization.  We  have  a  type 
family  action  which  extracts  a  primitive  event  value  (send,  receive,  or  always)  from  a  given 
complex  event  value  (which  may  contain  choices  and  wrappers).  It  also  accumulates  wrap¬ 
pers,  returning  a  “continuation”  val  S  — >  exp  T  for  an  original  event  of  type  T. 

Note  that  action  is  don’t-know  non-deterministic  in  the  manner  of  LLF  or  Lolli  and  is 
therefore  written  in  the  style  of  logic  programming  with  reverse  implications.  Actions  does 
not  refer  to  the  state. 

action  :  val  (event  T)  — >  val  (event  S)  -*  (val  S  — >  exp  T)  — ►  type. 

act-T  :  action  (alwaysEvt'  V)  (alwaysEvt'  V)  (Ax.  value  x). 
act.!  :  action  (sendEvt'  (chn  K)  V)  (sendEvt'  (chn  K)  V)  (Ax.  value  x). 
act_?  :  action  (rcvEvt'  (chn  K))  (rcvEvt  (chn  K))  (Ax.  value  x). 
act_©i  :  action  (choose'  Wi  W2)  A  (Ax.  E  x) 

<— action  Wi  A  (Ax.  E  x). 
act_©2  :  action  (choose'  Wi  W2)  A  (Ax.  E  x). 

<—  action  W2  A  (Ax.  E  x). 

act.  :  action  (wrap'  W  (AX2.E2  X2))  A  (Axi.  let  (Ei  xi)  (AX2.E2  X2)) 
action  W  A  (Axi.Ei  Xi). 
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The  action  rules  are  invoked  when  one  or  two  synch  assumptions  are  selected.  Presumable 
the  selection  of  such  assumptions  for  concurrent  evaluation  is  subject  to  fair  scheduling.  As 
further  investigation  of  fairness  and  its  consequences  in  this  context  is  subject  to  furthei 
research  and  beyond  the  scope  of  this  paper. 

synch  j  :  synch  W  D 

-o  action  W  (alwaysEvt'  V)  (Ax.E  x) 

->  {eval  (E  V)  D}. 
synch2  :  synch  Wi  Di 

t-o  synch  W2  D2 

-o  action  Wi  (sendEvt' (chn  K)  V)  (Axj. Ei  xj) 

— >  action  W2  (rcvEvt7  (chn  K))  (AX2.E2  X2) 

— >  {eval  (Ei  unit')  Di  <S>  eval  (E2  V)  D2}. 

Note  that  we  use  A  — ►  B  instead  of  A  — o  B  whenever  A  does  not  require  access  to  the 
current  state.  In  this  particular  signature,  A  -o  B  would  in  fact  be  equivalent,  since  no 
linear  assumptions  could  be  used  in  the  proof  of  A  (which  is  of  the  form  action  W  D  for 
some  W  and  D. 

5  Petri  Nets  in  CLF 

This  sections  applies  CLF  to  encode  Petri  nets.  AVe  introduce  preliminaiy  multiset  teimi- 
nology  in  Section  5.1  and  define  two  popular  semantics,  dubbed  sequential  and  concurrent 
models,  for  Petri  nets  in  Section  5.2.  We  give  encodings  for  each  of  them  in  Sections  5.3 
and  5.4,  respectively.  We  conclude  in  Section  5.5  with  some  comments  on  how  Petri  nets 
can  be  encoded  in  LLF. 

5.1  Multisets 

Given  a  support  set  S,  a  multiset  m  over  5  is  a  collection  of  possibly  repeated  elements 
S.  We  formally  define  m  as  a  function  m  :  S  -»  N  that  associates  a  multiplicity  to  every 
element  of  S.  We  therefore  write  N5  for  the  set  of  all  multisets  over  S. 

Given  a  multiset  m  over  S ,  any  a  €  S  such  that  m(fl)  >  1  is  called  an  element  of  m. 
We  denote  this  fact  as  a  <-  m.  The  empty  multiset,  written  or  “£5”>  has  no  elements:  it 
is  such  that  -(a)  =  0  for  all  a  €  S.  In  analogy  with  the  usual  extensional  notation  for  finite 
sets,  where  we  write  {oj, . . . ,  an}  for  the  set  consisting  of  the  elements  01, . . . ,  an,  we  will 
denote  a  multiset  with  elements  01, . . .  ,an  (possibly  with  replications)  as  (oj , . . . ,  an 5-  We 
extend  this  notation  to  the  intensional  construction  of  multisets  given  by  the  validity  of  a 
property:  ( u  :  p(o)  s.t.  cl  <—  m5  is  the  multiset  consisting  of  all  elements  of  m  for  which  the 
property  p  holds. 

The  multiset-equivalent  of  the  usual  operations  and  relations  on  sets  are  inherited  from 
the  natural  numbers  N.  In  particular,  if  m\  and  m2  are  two  multisets  with  common  support 
5, 

•  the  submultiset  relation,  denoted  mi  <  m2,  extends  the  “less  than  or  equal  to  relation 
over  N:  m\  <  m2  if  for  all  a  e  S,  mi  (a)  <  m2(a). 
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•  multiset  equality  is  similarly  lifted  from  the  equality  over  N.  As  for  sets  and  numbers, 
mj  =  m2  iff  mi  <  m2  and  m2  <  mi. 

•  the  multiset  union  of  mi  and  m2  is  the  multiset  m  =  mi  i±)  m2  such  that  for  each 
0.  e  5,  we  have  that  m(a)  =  mi  (a)  +  m2  (a). 

•  if  m2  <  mi,  then  the  multiset  difference  of  mi  and  m2  is  the  multiset  m  =  mi  -  m2 
such  that,  for  all  a  6  S,  m(a)  =  mi  (a)  —  m2(a). 

•  the  cardinality  of  mi,  denoted  |mi|  is  given  as  |mi|  =  Sags  mi(a)- 

Other  operations  and  relations  are  similarly  defined,  although  we  will  not  need  them. 

We  will  sometimes  need  to  distinguish  the  different  occurrences  of  an  element  a  in  a 
multiset  m.  For  this  purpose,  we  define  a  labeled  multiset  as  a  multiset  m  together  with  a 
set  X  and  a  function  A  :  X  — *  m  that  associates  a  unique  label  x  €  X  to  each  occurrence  of 
an  element  of  m.  We  will  always  be  in  the  position  to  choose  the  set  X  of  labels  in  such  a  way 
that  A  is  a  multiplicity-conscious  bijection  between  X  and  m,  i.e.,  (  A(.t)  :  x  €  X’)  =  m.  We 
will  take  notational  advantage  of  this  flexibility  and  write  m  to  indicate  some  labeled  version 
of  m.  We  will  occasionally  write  m  as  (X  :m)  to  make  explicit  the  set  of  labels  X  used  in 
the  construction  of  m  from  m.  We  will  sometimes  refer  to  a  labeled  multiset  extensionally, 
writing  for  example  (xi:a\,...,xn:an)  for  a  multiset  la\ , . . . , a„ 5  with  labels  {x\, 

Labeled  multisets  inherit  the  operations  and  relations  of  their  unlabeled  cousins,  although 
we  shall  be  careful  to  preserve  the  multiplicity-conscious  nature  of  the  defining  bijection 
(typically  by  renaming  labels  as  necessary).  Observe  that,  in  the  case  of  labeled  multisets, 
these  operations  reduce  to  their  set-theoretic  counterparts. 

Finally,  we  will  occasionally  view  a  multiset  m  as  a  sequence  induced  by  some  ordering 
(e  g.,  alphabetic  on  the  identifiers  denoting  the  elements  of  its  support  set).  We  emphasize 
this  reading  by  writing  m  asm.  We  extend  both  concept  and  notation  to  labeled  multisets 
in  which  case  a  secondary  ordering  over  labels  orders  different  occurrences  of  the  same 
elements. 

5.2  Petri  Nets 

A  Petri  net  AT  is  a  directed  bi-partite  multigraph  ( P ,  T,  E )  whose  two  types  of  nodes,  P 
and  T,  are  called  places  and  transitions,  respectively  [Pet62,  Rei85,  EW90].  The  multi¬ 
edges  E  link  places  to  transitions  and  transitions  to  place;  each  edge  carries  a  multiplicity. 
It  is  convenient  to  take  a  transition-centric  view  of  edges  and  define  them  as  a  function 
E  :  T  — ►  Np  x  Np  that  associates  each  transition  in  t  €  T  with  a  pair  of  multisets  of  places 
that  we  will  denote  (*t,  t*).  The  pre-condition  -t  of  t  lists  the  origin  p  of  every  edge  that 
enters  t ;  its  multiplicity  is  expressed  by  the  number  of  occurrences  of  the  place  p  in  *t.  The 
post-condition  t'  of  t  similarly  represents  the  edges  exiting  t. 

A  marking  M  for  AT  is  a  labeled  multiset  over  P.  Each  element  x:p  in  M  is  called  a  token. 
Our  use  of  labels  constitutes  a  departure,  known  as  the  “individual  token  philosophy”  and 
analyzed  in  [BMMS98,  BMOO],  from  the  definition  of  markings  and  Petri  nets  commonly 
found  in  the  literature.  The  implications  are  rather  subtle:  labels  assign  an  identity  to 
tokens  inhabiting  the  same  place,  making  it  possible  to  distinguish  them.  Therefore,  where 
the  more  traditional  “collective  token  approach”  prescribe  removing  “a”  token  from  a  place, 
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Ready  t.o  release  (r) 


Counter  (n) 


Ready  to  consume  (c) 


Produce 

(t-p) 


Consume 

(t.c) 


Ready  to  produce  (p)  Ready  to  acquire  (a) 

Figure  1:  A  Producer /Consumer  Net 


we  shall  say  which  of  the  possibly  many  token  populating  this  place  we  are  operating  on,  and 
each  choice  is  accounted  for  as  a  different  operation.  Our  more  detailed  formulation  has  the 
advantage  of  simplifying  subsequent  definitions  (in  particular  traces)  and  will  constitute  the 
bases  of  our  CLF  encoding  in  Section  5.3.  The  drawback  is  that  it  distinguishes  behaviors 
that  the  mainstream  definition  would  identify. 

Figure  1  describes  a  producer-consumer  system  Nvc  by  means  of  the  traditional  graphical 
representation  for  Petri  nets:  places  are  rendered  as  circles  and  transitions  as  squares;  edge 
multiplicity  is  annotated  on  top  of  the  edges  unless  it  is  1  or  0  (in  which  case  the  edge  is 
not  drawn).  The  left  cycle  represents  the  producer,  who  releases  one  item  per  cycle,  puts 
it  in  the  common  buffer  and  increments  the  counter  by  one.  The  consumer  (on  the  right) 
extracts  two  items  at  a  time  from  the  buffer  and  consumes  them.  Figure  1  also  specifies  a 
marking  Mpd  by  putting  a  bullet  for  each  occurrence  of  a  place  in  the  appropriate  circle. 
Labels  for  these  tokens  cluster  around  the  place  where  they  occur. 

A  Petri  net  is  a  recipe  for  transforming  a  marking  into  another  marking.  More  precisely, 
each  transition  can  be  seen  as  a  description  of  how  to  modify  a  fragment  of  a  marking. 
If  two  transitions  do  not  try  to  rewrite  the  same  portion  of  this  marking,  they  can  be 
applied  in  parallel.  There  are  several  ways  to  formalize  this  basic  notion  into  a  full  blown 
semantics.  We  will  examine  two  of  them:  first,  the  interleaving  semantics  expresses  the 
global  transformation  as  a  sequence  of  application  of  transitions,  recovering  concurrency 
through  permutations.  Second,  the  trace  semantics  focuses  on  the  dependencies  (or  lack 
thereof)  among  transitions. 

5.2.1  Interleaving  Semantics  * 

Given  a  Petri  net  N  =  (P,  T,  E)  and  a  marking  M  =  (X:M)  over  P ,  a  transition  t  £  T  is 
enabled  in  M  if  *t  <  M.  If  t  is  enabled  at  M,  then  an  application  of  t  to  M  is  defined  as 
the  judgment 

M  >N  M' 

where  the  marking  M'  =  (X':M')  satisfies 

M'  =  \{X:M)  -  (*:r:*t))  W  (xrfr) 
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Ready  to  release  (r) 


Counter  (n) 


Ready  to  consume  (c) 


Produce 

(t-p) 


Ready  to  produce  (p) 


Ready  to  acquire  (a) 


Figure  2:  A  Later  Marking  in  the  Producer/Consumer  Net 


where  *x  is  the  subset  of  the  labels  X  associated  with  *t  in  M  (note  that  it  may  not  be 
unique),  and  x •  is  a  set  of  new  labels  that  are  associated  with  £•.  The  application  of  a 
transition  to  a  marking  is  also  called  an  execution  step  or  the  firing  of  t  in  M . 

Observe  that,  given  N  and  M,  the  triple  identifies  the  application  uniquely. 

We  say  that  this  triple  supports  the  above  application.  We  will  generally  annotate  an 
execution  step  with  the  transition  instance  that  supports  it: 

M  Ojv  M'  by  (£,  *x,  x9). 

An  execution  of  a  Petri  net  N  from  a  marking  Mo  to  a  marking  Mn  is  given  by  the 
reflexive  and  transitive  closure  of  the  execution  step  relation.  It  is  denoted  as 

M0  >*N  Mn  by  S 

where  S  =  (ti ,  *x\ ,  x\9), . . . ,  (tn,  xn9)  and  for  i  =  l..n,  we  have  that  t^Mi  by  {U,  xf) 
Observe  that  the  entire  execution  sequence,  and  in  particular  Mn,  is  completely  determined 
by  Mo  and  the  (possibly  empty)  sequence  of  transition  applications  5  it  is  constructed  from. 
Whenever  Mo  >N  Mn  by  5  the  marking  Mn  is  said  to  be  reachable  from  Mo- 

Figure  2  shows  another  marking  Mpc  2  for  the  producer  /consumer  net.  It  is  obtained 
by  applying  transitions  t_r,  t_p  and  t_a  to  the  marking  Mpc  1  embedded  in  Figure  1.  This 
is  described  by  the  judgment: 

Mi>*nM2  by  (t-r,(ri),(n3,64,px)),  (t.p,  (pi),  (r2)),  (t.a,  (oi,  bx,  b2),  (cj)) 

Token  pi  :p  is  produced  by  the  first  transition  and  consumed  by  the  second.  Observe  that 
transition  t_a  consumes  buffer  tokens  b\  and  62  -  We  could  have  had  it  consume  any  com¬ 
bination  of  buffer  tokens,  including  the  token  64  produced  by  the  firing  of  t„r  (the  effect 
would  have  been  to  force  a  dependency  between  these  two  rules).  This  degree  of  discrimi¬ 
nation  does  not  arise  in  settings  that  keep  tokens  anonymous.  Below,  we  will  refer  to  this 
execution  sequence  as  Spc- 

Transition  applications  are  completely  ordered  in  a  transition  sequence.  Still,  some 
transitions  are  applied  to  independent  portions  of  a  given  marking.  We  will  now  define 
concepts  to  highlight  this  form  of  concurrency,  and  prove  some  results  for  them. 
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A  transition  sequence  5  =  •  ■  •  >  ^ru^n*)  is  well-labeled ,  if  for  any  label 

a;  appearing  in  5: 

•  there  is  at  most  one  index  i  such  that  x  E  xf\ 

•  there  is  at  most  one  index  j  such  that  x  E  *^5 

•  whenever  there  exist  both  i  and  j  such  that  x  E  fl  then  i  <  j. 

It  is  clear  that  if  M  1>*N  Mf  by  5,  then  5  is  well-labeled. 

If  S\  and  52  are  two  well-labeled  transition  sequences,  52  is  a  well-labeled  exchange  of  5i, 
written  Sx  ~0  S2,  if  Si  =  S',  ( t ,  -X,  x«),  (f',  -x',  x'*),  S"  and  S2  =  5',  (?,  -x',  x'*),  (t,  •*,  5". 

In  our  producer /consumer  example,  the  execution  sequence  S'pc  =  (t-r,(ri),(n3,64.Pi)), 
(t_a,  (01,61,62),  (ci)),  (t_p,  (pi),  (r2))  is  a  well-labeled  exchange  of  Spc  above,  but  the  se¬ 
quence  Si  =  (t_p,  (pi),  (r2)),  (t  jr,  (n),  (n3, 64, Pi)),  (t-a,  (ai,6x,  62),  (a))  is  not  since  pi  oc¬ 
curs  in  the  pre-condition  of  the  first  transition  and  in  the  post-condition  of  the  second 
transition  (violating  the  third  condition). 

It  is  clear  that,  if  <Si  ~o  S2,  then 

•x  n  x'*  —  *x'  n  x*  =  in  *x'  =  x*  n  x'»  =  0 

since  Si  and  S2  are  well-labeled.  This  condition  is  actually  sufficient  for  two  transitions  to 

constitute  a  well-labeled  exchange. 

Lemma  5.1.  ( Checking  well-labeled  exchange ) 

Let  S',  (t,*x,x‘),(t','x',x''),S"  be  a  well-labeled  transition  such  that  «x  n x'*  =  *x' fix*  = 
•x  n  *x'  =  x*  n  x'*  =  0,  then  S',  (t,  *x, x«),  (*',  V, x'-),  S"  ~o  S',  (t',  *x', x'*),  (t,  *x,  x*),  S". 

Proof.  By  induction  on  S'  and  then  by  verifying  that  the  second  sequence  satisfies  the 
definition  of  well-labeled  transition.  ^ 

The  well-labeled  exchange  relation  is  clearly  symmetric.  Moreover,  if  one  of  the  sides 
supports  an  execution  between  two  markings,  the  other  relates  these  same  two  markings, 
as  formalized  in  the  following  lemma. 

Lemma  5.2.  ( Well-labeled  exchange  preserves  execution) 

If  M  \>*N  M'  by  Si  and  Si  ~0  S2,  then  M  >*N  M'  by  S2 . 

Proof.  Let  Si  =  S',  ( t ,  *x, x*),  ( t ',  *x', x'*),  S"  and  S2  =  S',  (t',  *x',  x'*),  ( t ,  *x, x*), S  . 

By  definition,  there  are  markings  M,  M*  and  M'  such  that 

M>*nM  by  S',  M  >N  M*  by  (t,  »x,  x*),  M*  M'  by  (*',  *x',  x'‘),  M' M'  by  S" 

where  M*  =  (M  -  (»x:*f))  W  (x*:f*)  and  M'  =  (AT*  -  (*x':*f'))  W  (x'*:f'*)  =  (((M  -  (*x:*f))  W 
(x#:t*))  —  (•x':*t'))  tfc)  (x'*:t'*). 

Since  Si  and  S2  are  well-labeled,  x*  n  *x'  =  0,  therefore,  we  can  rewrite  M  as  M  = 
(M  -  (*x:*t)  -  (*x':*t'))  W  (x*:t*)  W  (x'*:t'*),  or  as 

M'  =  (((M  -  (*x':*f'))  W  (x'*:f'*))  -  (*x:*f))  W  (x*:t«). 

> - - - - " 

AT* 
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Let  then  M**  =  (AT  -  W  (x'*:t'*).  We  have  then  that  M  M**  by  (t, *x', x'*) 

and  M**  >n  M'  by  {t' ,  *x,x*),  from  which  we  deduce  that  M  t>^  M'  by  S2 ■  □ 

Two  well-labeled  transition  sequences  Si  and  52  are  equivalent ,  written  Si  ~  52,  if  5j 
is  a  permutation  of  $2-  We  will  sometimes  write  S2  =  7r(5i)  where  n  is  the  witnessing 
permutation.  It  is  easy  to  show  that  ~  is  indeed  an  equivalence  relation.  In  our  recur¬ 
ring  example,  the  transition  sequence  5"c  =  (t_a, (ai, 61,62),  (ci)),  (t_r,  (rj),  (n.3,  i>4,pi)), 
(t.p,  (pi),  (r2))  is  a  equivalent  to  Spc. 

Permutations  can  be  expressed  as  iterated  exchanges  of  two  adjacent  elements.  Sorting 
algorithms  such  as  bubble-sort  are  based  on  this  property.  It  is  therefore  not  surprising 
that  showing  the  equivalence  of  two  transition  sequences  can  be  reduced  to  producing  a 
sequence  of  well-labeled  exchanges. 

Lemma  5.3.  ( Well-labeled  equivalence  maps  to  iterated  well-labeled  exchange ) 

If  S  ~  5'.  then  there  are  transition  sequences  So,  ■  ■  ■  ,Sn  such  that  S  =  So,  S'  =  5n, 
and  for  i  =  l..n,  5j_i  ~o  Si . 

Proof.  Let  5  =  with  =  (tj,Ksitxf)  for  j  =  1  ..k.  Then,  by  definition, 

S'  =  fn(i), . . .  for  some  permutation  w.  We  define  the  distance  between  5  and  S'  as 
the  tuple  d(S,  S')  =  (di(S,  S'), dk(S.  S'))  where  dj(S,  S')  =  |  j  -  7r(j)|,  for  j  =  l..k.  We 
then  proceed  by  lexicographic  induction  on  d(S,S’). 

If  d{S,S')  =  0,  then  5  =  S'  and  n  =  0. 

Otherwise,  let  l  be  the  first  non-zero  index  in  d{S,S’).  Then, 

5  =  5,6,5  and  5'  =  S,S',£{l)_v£{l),S** 

Let  5"  =  5,  S', C(j), C(Z)-l,  5**-  Since  s  and  are  well-labeled  and  equivalent,  and 

must  be  independent.  Thus,  we  have  that  S"  ~o  5b 
Notice  that  d{S,S")  <  d{S,S')  since  di(S,S'')  =  d/(5,5')  -  1  (and  dj(S,S")  is  still  null 
for  j  <  l).  Then,  by  induction  hypothesis,  there  are  transition  sequences  5o, . . .  ,5n  such 
that  5  =  5o,  S"  =  5„,  and  for  i  =  l..n,  5j_  1  ~o  5,.  Then,  simply  add  5"  ~o  5'  to  this 
sequence  to  obtain  the  desired  result  d 

In  our  producer /consumer  example,  we  observed  that  Spc  ~  S”c.  This  can  be  unfolded 
as  Spc  ~0  S'pc  ~o  S%c- 

This  result,  together  with  Lemma  5.4,  allows  for  a  simple  proof  of  the  fact  that  ~ 
preserves  marking  reachability. 

Lemma  5.4.  (  Well-labeled  equivalence  preserves  execution) 

If  M  >*N  M'  by  5  andS  ~  S',  then  M  t>*N  M'  by  S'. 

Proof.  By  lemma  5.3,  there  are  transition  sequences  5o, . . . ,  5n  such  that  5  =  5o,  S'  =  5„, 
and  for  i  =  l..n,  5,_i  ~o  Si.  We  now  proceed  by  induction  on  n. 

If  n  =  0,  then  5  =  5'  and  the  desired  result  is  trivially  satisfied. 

For  n  >  1,  we  have  a  sequence  of  the  form  So,  ■  ■ .  ,5n_i,5n.  By  induction  hypothesis, 
there  is  an  execution  M  t>*N  M"  by  5n_i  for  some  marking  M" .  By  Lemma  5.2,  M"  C> 
N  M'  by  5n.  From  this  the  desired  result  follows  easily.  □ 


31 


ni* 


&3* 

Figure  3:  A  Trace  in  the  Producer/Consumer  Net 


5.2.2  Trace  Semantics 

Given  a  Petri  net  N  =  ( P,T,E ),  a  trace  T  of  AT  is  an  acyclic  directed  bi-partite  graph 
(JP,  T,E)  such  that  P  =  (X:P)  is  a  labeled  multiset  over  P,  T  =  (Y :T)  is  a  labeled 

multiset  over  T,  and  E  is  a  set  of  (single)  edges  E  :  T  -+  2P  x  2P.  In  this  report,  we  will 

assume  that  P,  T  and  E  are  finite.  Similarly  to  the  case  of  Petri  nets,  we  will  denote  the 
two  components  of  the  image  of  a  labeled  transition  (y:t)  according  to  E  as  *(y't)  and  (?/•£)*> 
respectively.  E  is  subject  to  the  following  restrictions: 

1.  For  any  transition  t  GT  such  that  (y:t)  G  T,  if  *(y:t)  =  ( X\\P\ )  and  (?/:£)•  =  (^2^2) 
(with  Pi,  P2  <  P  and  Xi  and  X2  disjoint  sets  of  labels),  then  Pi  =  *t  and  P2  =  tv 

2.  For  every  ( x:p )  €  P  and  (y\ :ti),  (y2‘t2)  €  T, 

(a)  if  (x:p)  €  m(yi-ti)  and  (zip)  6  -(w:*2),  then  (yi:ti)  =  (w:fe)- 

(b)  if  (®:p)  €  (yi:ti>  and  (®:p)  G  (2/2^2)%  then  (yi:ti)  =  (2/2^2). 

The  first  restriction  forces  each  occurrence  of  a  transition  t  in  the  trace  T  to^be  consistent 
with  its  definition  in  N:  its  incoming  edges  should  originate  from  places  in  P  of  the  same 
type  and  in  the  same  number  as  specified  in  #t,  and  similarly  for  outgoing  edges.  The  second 
restriction  requires  a  place  in  T  to  be  produced  at  most  once  and  to  be  consumed  at  most 
once. 

Given  a  trace  T,  the  initial  marking  of  T,  denoted  *T ,  is  the  set  of  labeled  places  in  P 
without  any  incoming  edge:  *T  =  {{x:p)  :  there  is  no  (y:t)  €  T  s.t.  (x,t)  G  *(y:t)}.  The 
final  marking  of  T  is  similarly  defined  as  the  set  of  labeled  places  in  T  without  any  outgoing 
edge.  It  is  denoted  Tv 

Figure  3  shows  a  trace  Tpc  for  the  consumer /producer  example  in  this  section.  For  clarity, 
we  have  omitted  the  identifiers  for  places  and  transition,  relying  only  on  mnemonic  label 
names.  The  initial  marking  of  T  consists  of  the  places  %rTpc  =  {ni,n2,ri,ai, 01,61,62^3} 
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while  its  final  marking  is  Tpc •  —  {711,712,713, 64, 7*2, 01,02,63}.  These  two  sets  of  tokens 
correspond  to  the  markings  displayed  in  Figures  1  and  2,  respectively.  This  trace  consists 
of  three  transition  instances:  (t.ri:tjr),  (£_ai:t.a)  and  (t.pi:t_p). 

5.2.3  Equivalence 

We  now  show  that  the  two  presentations  of  the  semantics  of  a  Petri  net  are  equivalent  from 
the  point  of  view  of  reachability:  whenever  there  is  an  execution  sequence  between  two 
markings,  they  are  the  initial  and  final  marking  of  some  trace,  and  for  every  trace  there  is 
an  execution  sequence  between  its  initial  and  final  marking.  Besides  of  being  of  interesting 
by  itself,  this  fact  will  help  us  encode  the  notion  of  traces  in  CLF.  The  above  intuition  is 
formalized  in  the  following  property. 

Property  5.5.  ( Equivalence  of  interleaving  and  trace  semantics) 

Let  N  =  ( P ,  T,  E)  be  a  Petri  net. 

1.  Given  markings  M  and  M'  over  N  such  that  M  >N  M *  by  S,  then  there  is  a  trace 
T  over  N  such  that  *T  —  M  and  T*  =  Mf . 

2.  Given  a  trace  T  over  N,  then  there  is  a  valid  execution  sequence  S  such  that  *T  > 

byS. 

Proof. 

1.  The  proof  proceeds  by  induction  on  the  sequence  S  =  (ti,  •xi,  xi*)j . . . ,  (tn, 
of  execution  steps  that  define  the  construction  of  M  >*N  Af'  by  5. 

If  <S  is  empty,  then  Mr  =  M.  Then  the  triple  T  —  (M,  0,  0)  satisfies  the  definition 
of  a  trace,  and  moreover  <T  —  Tm  =  M. 

Assume  now  that  S  =  <S*, (£,•£,£•).  Then,  there  is  a  marking  M*  such  that  M  > 
*N  M*  by  5*,  and  M*  \>n  Mf  by  ( t , •. x,x •).  By  induction  hypothesis  there  is  a  trace 
T*  =  (P*,  T*,E*)  such  that  *T*  =  M  and  T**  =  M*.  By  definition  of  execution 
step,  M'  =  (M*  -  (*x:*t))  *±l  We  then  define  Tf  =  (P',  T',  E')  as  follows: 

•  P'  =  P*  U  ( x*:t •). 

•  T*  =  T*  U  {( y:t )},  for  some  new  label  y. 

•  E'  =  E*  U  {{y:t)  ({*x:*t),  (x*:t*))}. 

Observe  that  *{y:t)  —  (•#:•£)  and  {y:t)m  =  ( x*:t •). 

We  shall  prove  that  T'  is  indeed  a  trace.  Condition  (1)  follows  by  construction. 
Condition  (2-a)  is  satisfied  since  •(?/:£)  C  T*v  Finally,  condition  (2-b)  holds  since  the 
labels  in  x*  are  new. 

In  order  to  conclude  this  case  of  the  proof,  we  observe  that  •T7  =  M  since  the 
construction  of  Tl  from  T*  did  not  involve  the  introduction  of  any  incoming  edge  to 
a  place,  and  that  T;*  =  M'  because  the  set  of  places  without  an  outgoing  edge  has 
been  upgraded  to  exclude  (mx:*t)  and  extended  with  ( £•£•),  which  is  exactly  how  M' 
has  been  produced 


33 


2.  Since  traces  are  acyclic,  their  nodes  and  edges  naturally  define  a  partial  order  upon 
which  to  base  a  proof  by  induction.  Therefore,  we  will  proceed  by  induction  on  the 
structure  of  T. 

Our  base  case  captures  traces  without  any  transition  nodes.  Therefore  T  —  (P,  0, 0), 
for  some  labeled  multiset  of  places  JP.  Then  <T  =  T*  =  P.  Our  statement  is  proved 
by  taking  S  to  be  the  empty  sequence  of  transitions. 

Assume  now  that  T  =  ( P .  T .  E)  contains  at  least  one  transition  node  (y:i).  Then, 
there  is  at  least  one  node  (y:t)  such  that  (y:t>  C  Tv  In  order  to  show  this,  construct 
the  sequence  a  of  transition  nodes  as  follows:  initialize  a  to  (y:t).  Let  {y'-t')  be  the 
last  element  in  a. 

(a)  If  (y':t7)*  C  T»,  then  (y':t')  is  the  desired  transition  (y:t). 

(b)  Otherwise,  there  is  a  labeled  place  (a ::p)  and  a  labeled  transition  (y”:t")  such 
that  {y'-.t'Y  3  (x:p)  G  •(y":f77).  In  this  case,  extend  o  with  (y":t")  and  repeat. 

Since  T  is  acyclic  (and  finite),  this  procedure  can  make  use  of  (b)  only  a  finite  number 
of  times  before  falling  back  on  (a). 

Let  therefore  ( y:t )  G  T  be  one  of  the  transition  nodes  in  T  such  that  (y:t)‘  C  Tv  We 
define  the  trace  T  =  (P7,  T7,  E7)  as  follows: 

•  P7  =  P  \  (: y.ty . 

.  T7  =  r\{(y:t)}. 

.  E7  =  E\{(y:t)-v(.(y:t),(y:t)*)}. 

It  is  a  simple  exercise  to  verify  that  T7  is  a  trace.  Moreover,  *T  =  *T7  and  T*  = 
(T*7\‘(y:t))U(y:t)v 

By  induction  hypothesis,  there  is  a  transition  sequence  S'  such  that  *T'  t>^  T*'  by  S'. 
Let  then  *(y:t)  =  (*x:'t)  and  (y:t)*  =  (xvf*).  Then,  the  desired  transition  sequence  S 
is  defined  as  S’,  ( t ,  •x,x‘). 

This  concludes  the  sketch  of  this  proof.  ^ 

This  proof  outlines  a  method  for  building  a  trace  out  of  an  execution  sequence.  It  is 
worth  making  it  more  explicit.  The  trace  associated  with  a  transition  sequence  S  and  a 
marking  M,  denoted  Tm{S),  is  defined  as  follows: 

Tm(-)  =  (M,0,0) 

Tm{S,  ( t ,  »x,  a:*))  =  (JP  U  (xvt*),  where  7m(5)  =  (P,  T,  E)  . 

TU{(y:i)},  and  y  is  a  new  label 

E  U  {(y:t)  •-»  ((*x:t),  (xvt*))}) 

Applying  this  definition  to  the  producer /consumer  net,  it  is  easy  to  check  that  Tmpc](Spc) 
is  a  trace  that  differ  from  Tpc  only  by  the  the  name  of  labels  not  occurring  in  Mpc j. 

Indirectly,  this  definition  provides  a  constructive  method  for  extending  a  trace  T  with 
respect  to  a  Petri  net  N:  identify  a  transition  t  in  TV  such  that  T*  =  (*x:*f),P  ;  add  the 
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transition  node  (y:t)  (for  some  new  label  y)  and  place  nodes  (x»:t»)  for  some  new  labels  x*; 
add  edges  from  (‘x:‘t)  to  (y.t)  and  from  (y.t)  to  (x*:f*). 

The  above  proof  also  outlines  a  method  for  flattening  a  trace  T  into  an  execution  se¬ 
quence  S :  repeatedly  pull  out  a  labeled  transition  with  only  initial  places  in  its  precondition 
until  all  transitions  in  T  have  been  processed  in  this  way.  The  following  definition  general¬ 
izes  this  technique  by  describing  the  set  of  transition  sequences  S(T)  that  can  be  extracted 
in  this  way  from  a  trace  T. 


(•)  €  S((P ,  0, 0)) 

S,(t,  »x,  x*)  G  S(T) 


if  T  =  (P  U  (y.t)‘,  f  U  {(yt)},  E  U  {(yt)  h-»  (‘(yt),  (</:*)•)}) 

and  (y.t)‘  C  T‘ 

and  •( y.t )  =  (‘x:*t) 

and  ( y.t)‘  =  (x*:t*) 

and  S  G  S((P,  T,  E)) 


S  G  S(T)  is  called  a  transition  sequence  underlying  the  trace  T.  In  the  producer/consumer 
example,  it  is  easy  to  check  that  S(Tpc)  =  (Spc,  Spc,  S^.}. 

The  Equivalence  Property  5.5  can  then  be  specialized  to  these  constructions.  The  proofs 
of  the  following  two  corollaries  can  be  excised  from  the  proof  of  this  property. 

Corollary  5.6.  ( From  transition  sequences  to  traces ) 

If  M  >*N  M'  by  S,  then  Tm(S)  is  a  trace.  Moreover,  M  =  •(Tm(S))  and  M'  — 

(?M  (<$))*. 


Corollary  5.7.  ( From  traces  to  transition  sequences) 

If  T  is  a  trace,  then  for  every  S  G  S(T)  and  *T  T*  by  S. 


It  is  easy  to  shows  that  the  two  above  constructions  are  essentially  inverse  of  each  other. 

Lemma  5.8.  (S(_)  and  T(_)  are  each  other’s  inverse) 

Let  N  be  a  Petri  net. 


1.  If  T  is  a  trace  and  S  G  S{T),  then  Tm (5)  is  isomorphic  to  P  for  M  =  •7’ . 

2.  If  M  >*N  M'  by  S,  then  S  G  S(TM(S)). 


Proof. 

1.  This  part  of  the  proof  proceeds  by  induction  on  the  structure  of  S.  Assume  first  that 
S  =  then  T  =  ( P ,  0, 0)  and  *T  =  P.  By  definition,  we  have  that  Tp(-)  —  (P,  0, 0), 
which  is  clearly  isomorphic  to  T. 

Assume  now  that  S  =  S',  ( t ,  *x,  x*).  Then,  it  must  be  the  case  that 

T  =  (P  U  (yty,  f  U  {(y.t)},  E  U  {(y.t)  ~  {•(y.t),  (yt)-)}) 

with  (y.ty  C  7*,  '(y.t)  =  (•x:*t),  (y.ty  —  (x*:t*)  and  5  G  S(T')  where  T'  =  (P ,  T,  E). 

By  induction  hypothesis,  'Tm'(S')  is  isomorphic  to  T  where  M'  =  •T,.  Let  then 
M  =  *T;  we  have  that  M'  =  M  -  (‘(y.t)  n  M).  Let  Tmi(S')  =  ( P \  T' ,  E'). 
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By  construction,  we  have  that 

Tm(S)  =  TM(S',(t,*x,x»))  =  (^U(as-:f),  T,U{(j/,:t)}>E/U{(j/':<)  ►-»  ((«*:*),  («•:!•)»). 

We  can  then  extend  the  isomorphism  between  Tm>( S')  and  T'  to  Tm(S)  and  7"  by 
relating  the  added  places  with  identical  labels,  relating  the  added  transitions  labeled 
y  and  y'  respectively,  and  relating  the  added  edges  in  E  and  E'  respectively. 

2.  The  proof  proceeds  by  induction  on  the  structure  of  S.  The  case  in  which  S  =  •  is 
trivial.  The  inductive  case,  in  which  <S  =  S',  (t,  *x,  x‘)  is  handled  similarly  to  the  proof 
of  the  first  part  of  this  lemma:  we  unfold  TM(S),  deduce  by  induction  hypothesis  that 
S'  €  S(TM>(S'))  for  M'  =  M  -  (*(y:t)  D  M),  and  then  show  that  S  €  S(TM(S)). 

This  concludes  the  proof  of  this  lemma.  ^ 

We  will  now  show  that  traces  are  in  one-to-one  correspondence  with  the  equivalence 
classes  induced  by  the  ~  relation  over  the  set  of  well-labeled  transition  sequences.  We 
begin  by  showing  that  whenever  a  trace  can  be  linearized  into  two  sequences  then  they 
are  equivalent.  First  a  technical  lemma:  whenever  the  places  on  the  incoming  edges  of  a 
transition  belong  to  the  initial  marking,  this  transition  can  shifted  to  the  left  of  its  current 
position. 

Lemma  5.9.  (Left  permutability  of  initial  transitions) 

Let  T  be  a  trace.  If  (S,^,  S')  e  S(T)  for  £  =  (t,'x,x>),  and  •»  C  *T,  then  (&S,S')  € 
S(T)  and  (S,£,S')  ~  (£.5,  S'). 

Proof.  The  proof  proceeds  by  induction  on  the  structure  of  5.  The  result  holds  trivially 
if  S  =  •.  If  S  =  <?",£",  we  show  by  induction  on  S'  that  («S",£,  £",<S')  £  <5(7”),  which 
allows  us  to  appeal  to  the  main  induction  hypothesis  to  show  that  (£,  S,  S')  €  S(T)  and 
(£,£,£')- (£,5,5').  1=1 

This  property  is  used  in  the  proof  of  the  anticipated  lemma  linking  transition  sequences 
underlying  the  same  trace. 

Lemma  5.10.  ( Transition  sequences  underlying  the  same  trace  are  equivalent) 

IfT  is  a  trace  and  S\,S2  €  5(7'),  then  S\  ~  S2. 

Proof.  Let  T  =  (P,  T,  E).  We  proceed  by  induction  on  the  size  of  T.  If  f  =  0,  then  it 
must  be  the  case  that  S\  =  52  =  *,  which  clearly  satisfies  the  desired  relation. 

Assume  then  that  S\  =  £i,S[  and  52  =  £2  >52.  If  £1  =  £2,  then  S[  ~  S2  by  induction 
hypothesis  since  5J  and  S2  must  be  defined  on  the  same  subtrace  of  7”.  Prom  this,  we  easily 
obtain  the  desired  result. 

Otherwise,  S\  =  £i,5{,£2,5"  and  52  =  £2>52,£i,  By  lemma  5.9,  we  can  conclude 
that  (£2 ,  £1 ,  <S{ ,  Sf) , (£1 . £2 , -?2 •  s'i)  €  S(T)  and  moreover  Si  ~  (£2, £1, <?{,£{')  and  S2  ~ 
(£1 » £2,  $2,  S2)-  It  is  easy  to  show  that  (S( ,  S'{)  and  (S'2,  S'f)  are  defined  on  the  same  subtrace 
of  T.  Therefore,  by  induction  hypothesis,  (S[,S")  ~  (S2,S2)  from  which  we  deduce  that 
(£2,6, S")  ~  (£1, £2, S'2,S'f)  and  therefore  Si  ~  S2  by  the  transitivity  of  ~.  □ 

We  now  prove  the  reverse  inclusion  by  showing  that  equivalent  execution  sequences  pro¬ 
duce  isomorphic  traces.  We  will  rely  on  the  following  lemma  about  well-labeled  exchanges. 
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Lemma  5.11.  ( Trace  isomorphism  for  well-labeled  exchanges) 

Given  traces  S\  and  S2  such  that  M  D>^,  M'  by  Si  (for  i  =  1, 2),  if  Si  ~o  <$2  then  7m  (Si) 
is  isomorphic  to  Tm (Si) • 

Proof.  By  definition,  Si  =  (S,  £',  S’)  and  S2  —  (S,  £',  S')  with  (  =  (t.  *x.  x‘)  and 

£'  =  (£',  •x',x'*).  The  proof  proceeds  by  induction  on  S'.  _ 

First,  assume  that  S'  =  •.  We  expand  TM(S)  as  (P,  T,E).  Then,  by  definition 

Tm(S,  f , O  =  (P  u  (*•:£•)  U  (x'-:t-), 

TU  {(yi*)M*)h 

E  U  {(yi:t)  h-  ((•*:•£),  (a :•:£•)),  (y[ :tf)  *-*  ((‘x'-.-t'),  (x'-.t'-))}) 


and 


=  (P  U  (x'-.t')  U  (x-:£*), 

TU{(y'2:t'),{y2:t)}, 

E  U  {(y'2:t')  ((•x':‘tl),  ( x'-.t '•)),  ( yr-t )  *-*  ((•x-.-t),  (xrt-))}). 

Observe  that  TM(S,  £,£,')  and  7m(S,£',£)  differ  only  by  the  name  of  the  variables  yi,y\ 
versus  2/2 >  2/2*  Thoy  are  therefore  clearly  isomorphic. 

The  inductive  case,  in  which  S'  =  (S",  £)>  follows  trivially  by  construction.  □ 

This  property  extends  naturally  to  equivalent  well-labeled  traces. 

Lemma  5.12.  (Trace  isomorphism  for  equivalent  transition  sequences ) 

Given  traces  Si  and  S2  such  that  M  M'  by  S,  (for  i  =  1, 2),  if  S\  ~  S2  then  Tm  (Si  ) 
is  isomorphic  to  7m (Si). 

Proof.  By  Lemma  5.3,  there  are  transition  sequences  Sq,...,S„  such  that  Si  =  Sq,  52  = 
S', .  and  for  i  =  l..n,  S,'_i  ~o  S'.  Moreover,  by  an  iterated  application  of  Lemma  5.2,  we 
have  that  M  t>’v  M'  by  S[  for  1  =  l..n. 

Given  these  observations,  the  main  part  of  this  proof  proceeds  by  induction  over  n,  using 
Lemma  5.11  in  the  inductive  case.  D 


5.3  Sequential  CLF  Representation 

We  write  ron  for  the  CLF  representation  of  object  entity  0.  Different  entities  have  different 
representations.  Whenever  the  same  entity  has  several  representations  (for  example  sets  of 
labels),  we  distinguish  them  as  ro"l(i)  where  i  is  a  progressive  number.  In  some  occasions, 
we  write  ron0'  for  the  encoding  of  an  object  0  parameterized  by  (the  representation  of) 
another  object  o'. 

5.3.1  Representation  of  Petri  nets 

Let  N  =  (P,T,E)  be  a  Petri  net.  We  define  the  CLF  representation  of  N,  written  rJ\P,  as 
follows: 

rN~l  =  rP~>,  rE~l 
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where  rP"1  is  in  turn  defined  as: 

r0i  =  place  :  type, 

tok  :  place  — >  type 
rPU{p}1  =  rP~',p:  place 

and  rE~'  is  given  by  the  following  definitions: 
r0n 

rE  U  (f  i — ►  *  :  r't~[C  where  c  =  {  r**"'  } 

The  encodings  rf*n  and  r*t'lC  are  respectively  defined  as: 

rl'p  =  1  rnnC  =  c 

rfrVlpy  =  rf®tok  p  r’t  \D  lp^C  =  r^-i(tokp-oC) 

where  we  recall  that  the  notation  m  indicates  that  the  multiset  m  is  viewed  as  a  sequence 
with  respect  to  some  canonical  order. 

Thp  application  of  these  definition  to  the  producer/consumer  example  from  Figure  1 
produces  the  following  CLF  signature: 

place  :  type. 

tok  :  place  type. 

r  :  place.  n  :  place.  c  :  place. 

p  :  place.  b  :  place.  a  :  place. 

t_p  :  tok  p  -o  {1  ®  tok  r}. 

t.r  :  tok  r  -o  {1  <g>  tok  p  ®  tok  b  <g>  tok  n}. 

t_a  :  tok  b -o  tok  b -o  tok  a -o  {1  <S>  tok  c}. 

t.c  :  tok  c  -o  {1  ®  tok  a}. 

It  should  be  observed  how  the  encoding  of  the  pre-  and  post-conditions  of  a  transition 
are  not  symmetric:  the  former  is  modeled  as  iterated  linear  implications  while  the  latter  as 
an  asynchronous  formula  inside  a  monad.  It  would  be  tempting  to  represent  both  using  the 
monadic  encoding,  which  is  akin  to  the  way  Petri  nets  are  traditionally  rendered  in  linear 
logic  [Cer95,  MOM91,  GG90].  For  example,  transition  t_a  would  be  represented  as 

t.a  :  {1  <g>  tok  b  0  tok  b  0  tok  a}  -o  {1  <g>  tok  c}. 

While  this  is  not  incorrect,  the  behavior  of  this  declaration  is  not  what  we  would  expect: 
it  is  applicable  not  only  in  a  linear  context  containing  two  declarations  of  type  tok  b  and  one 
of  type  tok  a,  but  also  to  any  context  that  can  be  transformed  (possibly  by  the  application 
of  other  rules)  into  a  context  with  these  characteristics.  In  summary,  our  representation 
forces  the  execution  of  individual  rules,  while  the  alternative  encoding  allows  its  execution 
to  be  preceded  by  an  arbitrary  computation. 
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5.3.2  Representation  of  Markings 

A  marking  M  has  two  representations:  one  is  simply  a  linear  context  consisting  of  all  the 
places  in  M  indexed  by  their  label.  We  write  it  rM^1\ 

C0“ i(l)  =  . 

rM\J{x,PyW  =  rM^l\  xTtok  p 

For  example,  the  representation  rMpcin W  of  the  producer /consumer  net  marking  Mpc\  in 
Figure  1  is  given  by: 

r\  t  tok  r.  n\  *  tok  n.  bi  t  tok  b.  63  t  tok  b. 

a\  t  tok  a.  ri2  *  tok  n.  b2  *  tok  b. 

The  second  representation  of  a  marking  M  consists  of  a  pair  whose  first  component 
is  obtained  by  tensoring  all  the  labels  in  M.  The  second  component  is  the  tensor  of  the 
representation  of  the  places  in  M.  We  denote  this  encoding  as  rM^2\  which  we  will  often 
expand  as  (rM^2'\  rMn^2'^).  The  two  components  are  positionally  synchronized  with 
respect  to  M:  we  achieve  this  by  referring  to  the  canonical  ordering  of  this  multiset,  which 
we  denoted  M. 

r0n(2)  =  (i?i) 

rMu(x,p)^  =  (rMp(2')  0x,  rMn(2//)  0tokp) 

This  second  representation  function  yields  the  following  pair  when  applied  to  the  second 
marking  Mpc 2  for  the  producer/consumer  net  (displayed  in  Figure  2): 

rMy;C2"l(2)  =(l®r2  0  ci  0  ni  ®  n2  0  n$  0  63  0  64, 

1  0  tok  r  0  tok  c  0  tok  n  0  tok  n  0  tok  n  0  tok  b  0  tok  b) 
It  should  be  observed  that  this  representation,  and  in  particular  the  presence  of  labels,  is 
a  direct  implementation  of  the  “individual  token  approach”  to  Petri  nets  [BMMS98,  BMOO]. 

This  derives  from  the  fact  that  CLF,  like  most  logical  frameworks,  forces  every  assumption 
to  have  a  unique  name.  An  extension  of  CLF  with  proof  irrelevance  (PfeOla]  would  avoid 
this  artificiality,  allowing  a  direct  representation  of  the  “collective  token  philosophy”  .  We 
intend  to  investigate  this  possibility  as  future  work. 

5.3.3  Representation  of  Execution  Sequences 

Let  M  and  M'  be  markings  and  S  =  rM'n(2'\  Given  the  execution  sequence  5  such  that 
M  >*N  M *  by  5,  we  denote  the  representation  of  S  with  respect  to  S  as  rSnS.  It  is  defined 
as  follows: 

=  S 

r(t,  •*,  *•),  =  let  V  in 

where  the  encodings  rx*n  and  r*x“|jR  of  the  sets  of  variables  *x  and  xm  are  defined  as  follows, 
respectively: 

r0"  =  1  r0nfl  =  R 

rx*  U  {a:}"1  =  rx,n<S>x  rill{x}1,!  =  r*a:n-R  x 
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We  shall  require  that  these  encodings  be  positionally  synchronized  with  T  so  that  the 
labels  in  r *x~[t  match  the  places  in  the  consequent  of  rV  and  the  labels  in  rx*"’  are  in  the 
same  order  as  the  corresponding  place  representation  in  the  antecedent  of  rtn. 

On  the  basis  of  these  definitions,  the  CLF  representation  of  the  execution  sequence  Spc 
with  respect  to  rMpc2',(2')  given  in  Section  5.2.1  for  the  producer/consumer  example  has 
the  following  form: 

r«5pc",rMp<:2"1<2,)  =  let  1®  723(8)64®  Pi  =  t.rAn  in 

let  1  ®  r2  =  t.pApi  in 

let  1®  ci  =  t.aAaiA6iA62  in 

1  ®  r2  ®  Cl  ®  72]  ®  722  ®  723  ®  63  ®  64 


5.3.4  Adequacy  Theorems 

We  will  now  show  that  our  encoding  correctly  captures  the  definition  of  Petri  nets  given 
in  Section  5.2.  More  precisely,  we  will  concentrate  on  the  relation  between  transition  se¬ 
quences  and  canonical  expressions  derivable  in  our  setting.  We  will  first  verify  that  the 
encoding  of  a  transition  sequence  between  two  markings  is  a  typable  expression  relative  to 
the  representation  of  these  two  markings. 

Lemma  5.13.  ( Soundness  of  the  sequential  representation  of  Petri  nets) 

Let  N  be  a  Petri  net  and  M,M'  be  two  markings  over  N.  If  M  \>’N  M'  by  S,  then 
there  is  a  derivation  £  of 

.;  rMnW  |_rjyn  _  r  MHT) 


Proof, 
then  M 
judgment 


The  proof  proceeds  by  induction  over  5.  If  S  is  the  empty  execution  sequence, 
=  M'.  Since  rM'l(2)  is  positionally  synchronized,  it  is  easy  to  prove  that  the 

rM-i(l)  hrAp  rMi(2')  <_  rjvf-i(2") 


is  derivable. 

Assume  now  that  S  =  (£,•#,#•),< Sf.  Then,  by  definition  of  execution  sequence, 
M  M"  by  (£,  *x ,  x •)  and  M"  ojv  by  Sf 


for  some  marking  M n .  We  then  have  that  M,f  —  ( M  —  (*x:*t))  i±)  ( x*:t •). 

By  induction  hypothesis,  there  is  a  derivation  £ f  of 

.;rM"^(1)  hrNn  ^  rM/n(2'0 

Observe  that 

rM'n(1)  =  whereAiss.t.  =  A,  r(*x:*t)'l(1) 

Now,  r5n fM'^  =  r =  let  =  r«x‘lf  in  r xhanks  to 
our  synchronization  assumptions  on  the  definition  of  rx,n  and  r*aTlt,  it  is  easy  to  show  that 
there  is  a  CLF  derivation  TZ  of  •;  r(*x:*f)~,(1)  r>xnt  =>  {rt*n}.  Once  we  observe  that  the 
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pattern  abbreviation  rx*~}  :  r>“1  expands  to  we  simply  use  rule  {}E  to  construct 

the  desired  derivation  of  \-rN- 1  rg-\rMf^2  5  □ 

Although  proving  the  adequacy  of  this  encoding  when  execution  sequences  are  extended 
from  the  left  is  relatively  easy,  as  shown  in  the  above  proof,  handling  the  dual  extension  is 
complicated  and  requires  a  procedure  akin  to  cut-elimination  for  a  sequent  formulation  of 
CLF. 

It  is  easy  to  validate  the  above  lemma  on  our  running  example:  the  following  judgment 
is  derivable  ; 

■;rMpci-'W  \-rNpc, 

We  now  show  the  complementary  result:  any  well-typed  CLF  expression  relative  to  two 
markings  is  the  encoding  of  some  transition  sequence  between  them. 

Lemma  5.14.  (Completeness  of  the  sequential  representation  of  Petri  nets) 

Let  N  be  a  Petri  net  and  M,  Mf  be  two  markings  over  N .  If  £  ::  •;  1 br^-i  E  <— 

rM,n(2"),  then  there  is  an  execution  sequence  S  such  that 

M  t>*N  M'  by  5 

and  rs-irA^<2'>  _  E 

Proof.  The  proof  proceeds  by  induction  on  the  structure  of  £.  By  inversion,  there  are 
two  cases  to  examine. 

1.  Let  us  first  consider  the  situation  where  £  has  rule  «=<—  as  its  last  inference: 

.;rM-l(l)  ,_rAn  M  rM'n(2"'1 

£  _  - - -  <=<— 

.■rMnW  \-rN-,  M 

where  E  —  M. 

We  prove  by  induction  on  the  structure  of  rM'n^2  ^  that  if  •;  A  hrjv-i  M  <==  rM/n^2  \ 
then  A  =  rMri(l)  and  that  M  =  r.i FM^'\  If  M>  =  0>  then  rMm(2")  =  L  By 

inversion  on  rule  II,  we  deduce  that  M  =  1  and  =  •,  which  is  exactly  what 

we  are  looking  for. 

Assume  now  that  Mf  =  M*,(x:p)  so  that  =  rM*n(2  )  ®tok p.  Then,  by 

inversion  on  rule  ‘®I,  we  can  rewrite  £f  as 

pt  pt 

•;  Ai  hrjv~ i  Mi  )  S^2  M2  <=  tokp 

- - $1 

•;Ai,A2  I-i-jv-1  M\  <g>  M2  ■$=  <g>tokp 

By  induction  hypothesis  on  ,  Aj  =  and  M  =  r.-irW n(2  '  oniy  need  to 

show  that  A2  =  x:tok  p  and  M2  =  x.  Since  all  positive  occurrences  of  atomic  types 
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of  the  form  tokp  appear  within  a  monad  in  rAn,  only  rule  x  is  applicable,  which 
precisely  satisfies  our  requirements. 

The  result  we  just  proved  allows  us  to  deduce  that  M  =  Mf  in  £.  Therefore,  it  must 
be  the  case  that  S  =  *,  so  that  rSnrM  =  M. 

2.  Assume  now  that  the  last  rule  applied  in  £  is 

£\  £2 

•;Ai  hryv-i  R  =>{5}  -;A2;p~£  br/y-i  Ef  rM'^2  ^ 

- - - - - {}E 

*;  Aj,  A2  bryyn  let  {p}  =  in  £7/  —  rJVf/n^2  ) 

where  =  (Ai,  A2)  and  E  =  (let  {p}  =  R  in  £t/)* 

By  inspection  over  rAP,  a  type  of  the  form  {5}  appears  only  in  the  declaration  T 
for  some  transition  t,  and  it  cannot  be  constructed.  Therefore,  it  must  be  the  case 
that  S  =  ■>"».  We  then  prove  by  induction  over  «i  that  Ai  =  for  appropriate 

variables  *x,  and  that  R  =  r#xni. 

By  inversion  on  £2?  the  right  premise  of  £  reduces  to  •;  A2,  (x*:t*)  Ef  <—  rM/_1^2  ^ 
for  appropriate  variables  xr  The  context  A2,  (x*:t*)  corresponds  therefore  to  the  rep¬ 
resentation  of  a  marking  M*  such  that  M*  =  (M  -  (*x:'t))  l±l  (x-.fr).  By  induc¬ 
tion  hypothesis,  there  is  a  transition  sequence  S'  such  that  M*  M '  by  S'  and 

—  jgf 

If  we  now  define  5  =  (£,  *x,  x*),  S',  we  obtain  that  M  M'  by  S  and  rSn  M  =  E 

This  concludes  our  proof.  ^ 

We  can  finally  put  these  two  results  together  in  the  following  adequacy  theorem  for  our 
sequential  CLF  representation  of  Petri  nets. 

Theorem  5.15.  ( Adequacy  of  the  sequential  representation  of  Petri  nets) 

Let  N  be  a  Petri  net  and  M,  Mf  be  two  markings  over  N .  There  is  a  bisection  between 
execution  sequences  S  such  that 

M  >*N  M'  by  5 

and  terms  E  such  that  the  judgment 

•;  rAT(1)  hryvn  E  <-  r 

is  derivable  in  CLF. 

Proof.  This  is  a  simple  corollary  of  Lemmas  5.13  and  5.14.  □ 

5.4  Concurrent  CLF  Representation 

Another  way  to  express  the  behavior  of  a  Petri  net  in  CLF  is  to  give  a  representation  of 
traces  and  show  its  adequacy.  Rather  than  presenting  a  direct  encoding  of  these  objects, 
we  will  exploit  the  meta-theory  that  we  have  developed  in  Section  5.2  to  relate  traces  and 
transition  sequences.  We  will  indirectly  represent  a  trace  through  one  of  its  underlying 
transition  sequences,  in  such  a  way  that  the  definitional  equality  of  CLF  make  the  choice 
of  the  actual  representative  irrelevant. 
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5.4.1  Representation  of  Traces 

We  will  keep  the  encoding  of  Petri  nets  and  markings  unchanged  from  Section  5.3.  Recall 
that  a  trace  T  over  a  Petri  net  N  relates  the  initial  marking  -T  of  T  to  its  final  marking 
T We  wifi  rely  on  the  encodings  r'T^  and  rT^  =  {rT.^2')  rT.n{2"))  defined  in 
Section  5.3.2.  . 

We  denote  the  representation  of  a  trace  T  as  rTn.  It  is  defined  as  rSnS  for  an  arbitrary 
execution  sequence  S  6  <S(T),  where  S  -  rT as  defined  in  Section  5.3.  Therefore, 
the  representation  rTpcn  of  the  producer /consumer  net  shown  in  Figure  3  can  be  defined 
as  rSpc~'s  where  5  =  rTpc*~'^.  The  attentive  reader  may  object  that  a  different  pick  S'  of 
the  transition  sequence  chosen  from  S(T)  will  yield  a  different  CLF  expression,  so  that  the 
encoding  of  a  trace  T  is  not  well-defined.  While  we  acknowledge  this  observation,  we  will 
show  that  the  representations  of  any  two  transition  sequences  in  S(T)  are  equal  modulo 
=c,  and  will  therefore  be  indistinguishable  as  CLF  objects. 

We  know  by  Lemma  5.10  that  if  two  transition  sequences  S  and  S'  underly  the  same  trace 
T,  then  they  are  equivalent  modulo  We  will  therefore  prove  that  the  CLF  encoding  of 
two  such  traces  are  equal  modulo  =c.  In  order  to  show  this  result,  we  will  need  the  following 
lemma  that  states  that  this  property  holds  of  well-labeled  exchanges. 

Lemma  5.16.  (  Well-labeled  exchanges  have  equal  CLF  representations) 

Let  S  and  S'  be  two  executions  sequences  and  M  a  marking  over  a  Petri  net  N.  If 
S  ~0  S',  then  r =c  r 

Proof.  Let  S  =  S,  £, 5'  and  S'  =  S ,  £',  S'  with  f  =  ( t ,  -x,  x-)  and  =  (t',  -x',  x'>). 

By  definition,  ,SnrM^2)  =  let  rx-n  =  r*x]“lt  in  (let  rx'-"1  =  r*x'~[t'  in  E)  and 
ri',i,S'^M^2,)  =  let  rx,-_l  =  r-x,‘lt'  in  (let  rx-n  =  r-xnt  in  E)  where  E  =  r§^rM^'\ 

Since  S  and  S'  are  well-labeled,  we  have  that  -xflx'-  =  0  and  -x'fix-  =  0.  By  definition 
of  execution  sequence,  we  clearly  have  that  xm  fix'*  =  0.  Therefore,  r£,£,,<S,'irM"l(2 }  and 
r£',£,  5'irM",(2 )  satisfy  the  constraints  to  applying  the  let-rule  for  definitional  equality  and 

let  rx-n  =  r*x]‘lt  in  (let  rx'-"1  =  r*x'~'t‘  in  E)  =c  let  rx'*~[  =  ’’•x^  in  (let  rx*"1  =  r-xnt  in  E). 

where  the  witnessing  concurrent  context  is  e  =  let  rx'-"1  =  r'x'~it'  in  .. 

Since  =c  is  a  congruence,  a  simple  inductive  argument  shows  that  r  <prM"l(2  )  =c  r^/nrMn(2 : 

The  similar  result  for  well-labeled  equivalent  transitions  sequences  then  follows  imme¬ 
diately. 

Lemma  5.17.  ( Well-labeled  equivalent  transition  sequences  have  equal  CLF  representa¬ 
tions) 

Let  S  and  S'  be  two  executions  sequences  and  M  a  marking  over  a  Petri  net  N.  If 
S  ~  S',  then  r5_,rM',(2'>  =c 

Proof.  By  Lemma  5.3,  there  are  transition  sequences  So, . . .  ,Sn  such  that  S  =  So,  S'  = 
Sn,  and  for  i  =  l..n,  Si_i  ~o  Si- 
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By  the  above  Lemma  5.16,  r<Si_rrM‘'(2,)  =c  rSinrM^2 )  for  i  =  l..n.  Therefore,  by  the 
transitivity  of  =c,  _  rS'TM*\  □ 

We  can  now  patch  together  the  various  parts  of  our  argument  to  show  that  the  repre¬ 
sentation  of  a  trace  is  indeed  well-defined. 

Corollary  5.18.  (Representation  of  traces  is  well-defined) 

Let  T  be  a  trace  over  a  Petri  net  N.  Then  rT~l  is  well-defined  modulo  =c. 

Proof.  By  Lemma  5.10,  if  <Si,S2  €  S(T),  then  Si  ~  S2.  By  Lemma  5.17,  for  any  M, 
rs2’fM^2')  =c  rS‘frM~y{’2'\  in  particular  for  M  =  <T.  □ 

Knowing  that  every  transition  sequence  underlying  a  trace  T  is  mapped  to  equal  CLF 
expressions  (modulo  =c)  is  however  not  sufficient:  there  may  be  CLF  objects  that  are  equal 
modulo  =c  to  the  representation  of  T,  but  that  are  not  the  encoding  of  any  transition 
sequence  underlying  it.  We  will  now  show  that  this  option  cannot  materialize.  In  order 
to  do  so,  we  will  prove  that  any  such  object  must  be  the  representation  of  some  trace 
underlying  T,  and  therefore  of  a  member  of  S(T). 

Lemma  5.19.  ( Completeness  of  the  representation  for  well-labeled  equivalent  transition 
sequences ) 

Let  S  be  a  well-labeled  executions  sequences  and  M  a  marking  over  a  Petri  net  N. 
If  rS~l rM’l(2')  =c  E,  then  there  is  an  execution  sequence  S'  such  that  S  ~  S'  and  E  = 

Proof.  We  proceed  by  induction  on  a  derivation  £  of  the  judgment  r<S~'rM“l(2 1  =c  E.  We 
need  to  distinguish  two  cases. 

1.  We  first  examine  the  situation  where  E  is  a  monadic  object  M.  Therefore, 

£' 

r _  M 

£  - - 

rS^i2,)  =c  M 

By  definition,  rSnrM^2">  is  a  monacjic  object  if  and  only  if  S  =  ■,  and  furthermore 
this  term  reduces  to 

A  simple  induction  on  the  number  of  elements  in  M  shows  that  M  must  be  identical 
to  rM~[W\  hence  M  =  rM^2'\ 

2.  The  second  option  requires  that  both  sides  of  =c  be  proper  expressions.  In  order  for 

this  to  be  possible,  it  must  be  the  case  that  S  =  (t-  *x.  x'),  S  for  some  transition  t, 
so  that  1  _  |et  rx*~]  =  r*x~]t  in  r5nrAri(2).  The  last  rule  applied  in  £  has 

therefore  the  form: 

e  e" 

r*xnt  =  R  =c  6[J5] 

£  - - ; - 

let  =  r*x~]t  in  r<S“ )  =c  e||e^-  rx.n  =  jn  E] 
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where  E  =  e[let  rx*n  =  R  in  E\  for  some  concurrent  context  e,  atomic  object  R  and 
expression  E. 

By  reasoning  steps  similar  to  the  first  part  of  this  proof,  we  can  deduce  that  R  = 

By  induction  hypothesis  on  we  also  have  that  S  ~  S'  and  e\E\  =  r£/-irAf(a  \ 

By  induction  on  e,  we  can  partition  S'  into  two  subsequences  S'  and  <S^  such  that 

S'  =  S' S',  and  E  =  )  and  e  encodes  S'  (with  some  abuse  of  notation,  we 

may  write  e  =  rS'n-). 

By  the  definition  of  r_n-,  it  is  clear  that  e[let  rx •n  =  r*xnt  in  E\  =  r*S€,  (t,  •£,  £•),  5^“'rM"l(2 } 
Therefore,  we  only  need  to  prove  that  S  ~  (Se,  (£,♦£,£•),  Sp  (remember  that  5  = 

(t,  •£,  rr*),  5).  By  definition  of  execution  sequence  equivalence,  this  reduces  to  showing 
that  (St,  (£,  #x,  a:*), is  well-labeled. 

A  sequence  is  well-labeled  if  every  label  in  it  occurs  at  most  once  in  a  pre-condition 
or  post-condition,  and  whenever  it  occurs  in  both,  the  transition  mentioning  it  in  its 
post-condition  is  to  the  left  of  the  transition  having  it  in  its  pre-conditions.  The  first 
requirement  holds  of  (5e,  (t,  •£,£•),  Sp  since  S  is  well-labeled  and  contains  exactly 
the  same  transition  witnesses.  The  second  requirement  derives  from  the  constraints 
associated  with  the  above  rule.  In  particular,  in  order  for  this  rule  to  be  applicable,  it 
must  be  the  case  that  •£  n  BV(e)  =  0.  Now,  by  definition,  BV(e)  collects  all  the  post¬ 
conditions  occurring  in  S'.  Therefore  (Se,  (t,«x,x*),S^)  is  a  well-labeled  permutation 

of  t  S  and  therefore  S  ~  (Sc,  (t,  *x,  £•), S'p. 

This  concludes  our  proof.  □ 

We  now  chain  our  findings  together  by  showing  that  rT“l  does  not  contain  extraneous 
expressions. 

Corollary  5.20.  ( Completeness  of  the  representation  for  traces) 

Let  T  be  a  trace  over  a  Petri  net  N.  If  E  =c  rTn,  then  E  =  rTn. 

Proof.  By  definition,  rTn  =  rS~1[S  with  S  €  S(T)  and  S  =  r*Tn^2  ^.  By  Lemma  5.19, 

E  =  rS/~]S  for  some  S'  such  that  S  ~  S'.  By  Lemma  5.12,  S  €  S(T)  and  so  E  =  rT~].  □ 


5.4.2  Adequacy  Theorems 

The  results  we  just  unveiled  give  us  simple  means  for  proving  the  adequacy  of  the  concurrent 
representation  of  Petri  nets.  We  start  with  the  soundness  property:  the  encoding  of  a  trace 
is  a  well-typed  expression  relative  to  the  representation  of  its  initial  and  final  marking. 

Lemma  5.21.  ( Soundness  of  the  concurrent  representation  of  Petri  nets) 

If  T  be  a  trace  over  a  Petri  net  N,  then  there  is  a  derivation  £  of 

-;r*Tn(1)  h-jv-,  rTn  rT.i(2") 
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Proof.  By  Corollary  5.7,  for  any  derivation  sequence  S  €  S(T)  we  have  that  •Tt^T*  by  S. 
By  the  Adequacy  Lemma  5.13,  we  have  that  there  is  a  derivation  £  of 

.;r<H(1)  bi-AP  rS~'S  <—  T'7',-i(2") 

where  S  =  rT*‘l(2').  By  the  definition  of  rT~l,  this  is  exactly  the  derivation  we  want.  □ 

Moreover,  any  canonical  expression  relative  to  the  encoding  of  the  initial  and  final 
marking  of  a  valid  trace  is  the  representation  of  this  trace. 

Lemma  5.22.  ( Completeness  of  the  concurrent  representation  of  Petri  nets) 

Let  N  be  a  Petri  net  and  M,  M'  he  two  markings  over  N.  If  £  ::  •;  rMn(1)  br^p  E  *- 
rM,n'2"'1 ,  then  there  is  a  trace  T  such  that  M  =  *T,  M'  =  T*,  and  E  =  rTn. 

Proof.  By  the  Adequacy  Lemma  5.14,  there  is  an  execution  sequence  S  such  that  M  t> 
*N  M'  by  S  and  E  =  rS W*** . 

Let  T  =  Tm(S).  By  Corollary  5.6,  T  is  a  trace  and  <T  =  M  and  T*  =  M'.  □ 


We  bring  these  two  results  together  in  the  following  adequacy  theorem. 

Theorem  5.23.  ( Adequacy  of  the  concurrent  representation  of  Petri  nets ) 

Let  N  be  a  Petri  net.  There  is  a  bijection  between  traces  T  over  and  terms  E  such  that 
the  judqment 

.;r.r(D  k,,  £-rT.n(2") 


is  derivable  in  CLF. 

Proof.  This  is  a  simple  corollary  of  Lemmas  5.21  and  5.22. 


□ 


5.5  Petri  Nets  in  LLF 

In  this  section,  we  will  present  an  encoding  of  our  example,  the  producer/consumer  Petri 
net  given  in  Figure  1,  in  LLF  and  compare  it  to  the  CLF  representations  obtained  earlier. 
This  formalization  is  based  on  [Cer95].  We  remind  the  reader  that  LLF  is  the  sublanguage 
of  CLF  that  only  allows  II,  -o,  &  and  T  as  type  constructors  and  correspondingly  limits 
the  language  of  terms. 

We  will  keep  the  representation  of  the  antecedent  of  a  transition  unchanged  with  respect 
to  our  previous  CLF  encoding,  but  we  need  to  apply  deep  alterations  to  the  representation  of 
the  consequent  since  LLF  does  not  embed  any  connective  akin  to  <8>.  With  linear  implication 
as  the  only  multiplicative  connective  at  our  disposal,  we  are  forced  to  formalize  transitions 
in  a  continuation-passing  style:  we  introduce  a  control  atom,  that  we  call  baton,  that  the 
representation  of  a  transition  acquires  when  it  is  fired  and  passes  on  to  the  next  transition 
when  it  is  done  (like  in  a  relay  race). 

The  application  of  this  idea  to  our  example  yields  the  LLF  signature  rNpc~l  below,  where 
we  have  occasionally  written  a  type  A  —o  B  as  B  o—  ,4  as  is  often  done  in  (linear)  logic 
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programming: 


p 

type. 

t_p  :  baton  0-  p 

t_a  :  baton  0-  a 

r 

type. 

0-  (r  -0  baton). 

0-  b 

n 

type. 

t_p  :  baton  0-  r 

0-  b 

b 

type. 

0-  (P  -0 

0-  (r  -0  baton). 

a 

type. 

n  -0 

t_c  :  baton  0-  c 

c 

type- 

b  -0  baton). 

0-  (a  -0  baton). 

baton 

type. 

The  behavior  of  CLF’s  0  is  implicitly  recovered,  in  part,  in  the  above  encoding  since  right- 
nested  linear  implications  can  be  curried:  A  -o  B  -o  C  is  logically  equivalent  to  A  0  B  — o  C. 
Writing  our  example  in  this  way  would  however  take  us  outside  of  LLF. 

The  initial  marking  Mpc  1  in  Figure  1  can  simply  be  flattened  into  the  linear  context  of 
LLF  (below,  left).  The  treatment  of  the  final  marking  Mpc 2  (see  Figure  2)  is  however  not 
as  immediate:  we  represent  it  as  if  it  were  a  transition  (stop)  that  consumes  all  the  tokens 
in  the  marking,  and  moreover  that  can  be  used  at  most  once  (below,  right). 


ri  :r. 

stop  T  baton  0-  r 

ni  ?  n. 

0-  n 

n2  :  n. 

0 —  n 

bx  Tb. 

0 —  n 

b2  :  b. 

0-  b 

b3  Tb. 

0-  b 

ai  T  a. 

0-  c 

We  call  the  LLF  encodings  of  these  two  markings  rMpci_1  and  rMpc 2n,  respectively. 

Given  this  encoding,  there  is  a  one-to-one  correspondence  between  firing  sequences  S 
such  that  Mpd  >Npc  MpC2  by  S  and  LLF  proof-terms  M  such  that 

S  rMpc\~',  rMpC2~i  M  :  baton 

is  derivable. 

The  main  difference  between  the  CLF  and  the  LLF  representations  of  Petri  nets  is  the 
threading  of  transition  firing  that  we  have  implemented  in  the  latter  by  means  of  the  con¬ 
trol  atom  baton.  This  encoding  is  inherently  sequential.  The  permutability  of  independent 
transitions  can  only  be  established  as  a  meta-theoretic  relation  between  two  proof-terms,  a 
process  that  we  have  found  to  be  overwhelming  in  general.  The  CLF  representation  does 
not  force  a  control  thread  on  the  encoding  of  transitions.  This,  coupled  with  the  equational 
theory  of  this  new  formalism,  enables  an  implicit  and  faithful  rendering  of  the  permutability 
of  independent  Petri  net  transitions.  Therefore,  we  claim  that  LLF  is  a  stateful  but  inher¬ 
ently  sequential  language,  while  CLF  natively  supports  a  form  of  concurrency  that  seems 
to  be  extremely  general. 

A  minor  difference  between  the  two  encodings  concerns  the  representation  of  markings, 
especially  the  final  marking  of  an  execution  sequence.  In  LLF,  we  are  bound  to  enter  it  as 
a  special  use-once  rule.  CLF  supports  a  more  direct  encoding  as  a  synchronous  type  in  the 
right-hand  side  of  the  typing  judgment.  Altogether,  we  find  the  CLF  representation  more 
direct  than  what  we  could  produce  using  LLF. 


47 


6  Specification  of  Security  Protocol 

Since  their  inception  in  the  early  1960’s  [Pet62],  Petri  nets  have  been  the  object  of  many 
extensions  aimed  at  increasing  the  abstraction  level  of  a  specification,  at  making  them 
more  expressive,  and  at  using  their  modeling  power  for  specific  applications.  In  this  sec¬ 
tion,  we  will  analyze  one  such  extension,  the  security  protocol  specification  framework 
MSR  [CDL+99,  CerOlb,  CerOla]  and  describe  a  CLF  encoding  for  it. 

Rather  than  the  amorphous  objects  seen  in  Section  5,  MSR’s  tokens  ar e  facts,  i.e.,  typed 
first-order  ground  atomic  formulas  over  a  term  language  of  cryptographic  messages.  Tran¬ 
sitions  (called  rules  in  MSR)  become  parametric  in  the  inner  structure  of  facts:  variables 
can  be  matched  at  application  time  with  the  data  carried  by  a  fact,  allowing  in  this  way 
the  same  rule  to  apply  in  situations  that  differ  by  the  value  of  some  fields.  Systems  of  this 
sort  are  known  as  colored  Petri  nets  [Jen97];  they  are  also  very  closely  related  to  various 
languages  based  on  multiset  rewriting  such  as  GAMMA  [BL93]  (MSR  actually  stand  for 
Multiset  Rewriting).  MSR  extends  this  model  with  a  sophisticate  type  system  and  the 
possibility  of  creating  fresh  data  dynamically.  Moreover,  it  applies  it  to  the  specific  domain 
of  security  protocols. 

We  describe  relevant  aspects  of  the  syntax  and  operational  behavior  of  MSR  in  Sec¬ 
tion  6.1.  Then  we  will  show  in  Section  6.2  how  the  basic  CLF  encoding  for  Petri  nets  is 
adapted  to  accommodate  the  many  extensions  present  in  MSR. 

6.1  The  Security  Protocol  Specification  Language  MSR 

A  security  protocol  describes  the  message  exchange  taking  place  between  two  or  more 
agents,  or  principals ,  who  wish  to  perform  tasks  such  as  establishing  a  secure  channel  to 
communicate  confidential  data,  verifying  each  other’s  identity,  etc.  Messages  are  assumed 
to  be  sent  over  a  public  network,  such  as  the  Internet,  and  therefore  run  the  risk  of  being 
intercepted  and  even  fabricated  by  attackers.  Cryptography  is  used  to  achieve  virtual 
private  channels  over  this  public  medium. 

There  has  been  a  recent  surge  in  formalisms  for  specifying  security  protocols,  together 
with  methods  for  proving  their  correctness.  One  such  language  is  the  Spi  calculus  [AG99], 
which  specializes  the  7r-calculus  with  dedicated  cryptographic  constructs.  It  can  be  ex¬ 
pressed  in  CLF  through  a  simple  adaptation  of  the  encoding  presented  in  Section  3.  In 
this  section,  we  will  sketch  a  CLF  encoding  for  another  protocol  specification  language: 
MSR  [CDL+99,  CerOlb],  a  distant  cousin  of  Petri  nets. 

MSR  is  a  flexible  framework  for  expressing  security  protocol  and  the  linguistic  infras¬ 
tructure  they  rely  on.  Rather  than  describing  the  meta-language  in  its  generality,  we  will 
concentrate  on  an  instance  tailored  for  the  description  of  a  specific  protocol,  the  Needham- 
Schroeder  public  key  protocol  that  we  will  use  as  an  extended  example.  We  will  actually 
throw  in  a  handful  of  additional  constructs  so  that  the  reader  can  appreciate  the  expressive 
power  of  this  formalism.  More  precisely,  we  introduce  the  syntax  of  MSR  in  Section  6.1.1, 
apply  it  to  an  example  in  Section  6.1.2,  and  conclude  with  the  operational  semantics  of  this 
language  in  Section  6.1.3. 
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6.1.1  Syntax 

We  start  by  defining  the  syntax  of  messages,  which  constitute  the  term  language  of  the 
instance  of  MSR  we  are  considering  in  this  document.  Atomic  messages  consist  of  principal 
names,  cryptographic  keys,  and  nonces  (short-lived  data  used  for  authentication  purposes). 
They  are  formally  given  by  the  following  grammar: 

Atomic  messages:  a  ::=  A  (Principal) 

I  k  (Key) 

|  n  (Nonce) 

With  just  a  few  exceptions,  we  will  use  the  displayed  identifiers,  possibly  adorned  with 
subscripts  or  superscripts,  to  refer  to  objects  of  the  associated  syntactic  class.  For  example, 
the  symbol  03  will  generally  identify  a  nonce.  As  an  additional  convention,  we  will  use  a 
serifed  font  (e.g.,  03)  to  denote  constants  while  reserving  a  generic  font  ( e,g 723)  to  denote 
objects  that  either  are  or  may  be  variables  (introduced  shortly). 

Messages  are  either  constants,  variables,  the  concatenation  of  two  terms,  or  the  result 
of  encrypting  a  term  with  a  key.  We  display  syntax  for  encryption  with  both  symmetric 
and  asymmetric  keys,  although  we  will  be  using  only  the  latter. 

Messages :  t  a  (Atomic  messages) 

|  x  (Variables) 

I  hh  (Concatenation) 

I  {t}k  (Symmetric-key  encryption) 

|  k  (Asymmetric-key  encryption) 

It  should  be  observed  that  these  declaration  cast  a  layer  of  symbolic  abstraction  over  the 
bit-strings  that  implement  the  messages  of  a  security  protocol.  This  approach,  which  can 
be  found  in  almost  all  security  protocol  specifications  and  analysis  environments,  is  known 
as  the  Dolev-Yao  abstraction  [NS78,  DY83]. 

An  elementary  term  is  either  a  constant  or  a  variable: 

Elementary  terms  e  ::=  a  (Constants) 

|  x  (Variables) 

Predicates  may  take  multiple  arguments.  Consequently,  we  introduce  syntax  for  tuples 
of  messages: 

Message  tuples  t  ::=  *  (Empty  tuple) 

|  £,  t  (Tuple  extension) 

In  MSR,  every  object  has  a  type  drawn  from  the  theory  of  dependent  types  with  sub¬ 
sorting  [CerOla].  In  this  paper,  we  will  use  the  following  layout: 

Types:  r  principal  (Principals) 

|  nonce  (Nonces) 

|  shK  A  B  (Shared  keys) 

|  pubKA  (Public  keys) 

|  privKfc  (Private  keys) 

|  msg  (Messages) 
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The  types  “principal”  and  “nonce”  classify  principals  and  nonces,  respectively.  The  next 
three  productions  allow  distinguishing  between  shared  keys,  public  keys  and  private  keys. 
Dependent  types  offer  a  simple  and  flexible  way  to  express  the  relations  that  hold  between 
keys  and  their  owner  or  other  keys.  A  key  “k”  shared  between  principals  “A”  and  “B”  will 
have  type  “shK  A  B”.  Here,  the  type  of  the  key  depends  on  the  specific  principals  “A”  and 
“B”.  Similarly,  a  constant  “k”  is  given  type  “pubK  A"  to  indicate  that  it  is  a  public  key 
belonging  to  “A” .  We  use  dependent  types  again  to  express  the  relation  between  a  public 
key  and  its  inverse.  Continuing  with  the  last  example,  the  inverse  of  “k”  will  have  type 
“privKk”. 

We  use  the  type  msg  to  classify  generic  messages.  We  reconcile  nonces,  keys,  and 
principal  identifiers  with  the  messages  they  are  routinely  part  of  by  imposing  a  subsorting 
relation  between  types,  formalized  by  the  judgment  “r  ::  rf”  (r  is  a  subsort  of  r  ).  In  this 
paper,  each  of  the  types  discussed  above,  with  the  exception  of  private  keys,  is  an  subtype 
of  msg: 

principal  ::  msg  nonce  ::  msg  shK  A  B  ::  msg  pubK  A  ::  msg 

We  use  dependent  Cartesian  products  to  assign  a  type  to  message  tuples: 

Type  tuples  t  •  (Empty  tuple) 

|  E x:r.  t  ( Type  tuple  extension) 

Whenever  the  variable  x  does  not  occur  in  t ,  we  will  abbreviate  E x:t.  t  as  t  x  t. 

We  next  give  the  syntax  for  MSR  rules.  At  the  core  of  a  rule  one  can  find  a  left- 
hand  side  and  a  right-hand  side,  described  shortly.  This  nucleus  is  enclosed  in  a  layer  of 
universal  quantifications  that  assign  a  type  to  every  variable  mentioned  in  the  rule  (with  a 
few  exceptions  —  see  below): 

Rule:  r  ::=  Ihs  — >  rhs  (Rule  core) 

|  Vx  :  r.  r  (Parameter  closure) 

The  left-hand  side  or  antecedent  of  a  rule  is  a  possibly  empty  multiset  of  predicates.  In  this 
paper,  we  will  consider  only  two  forms:  the  network  predicate ,  N {t),  models  messages  in 
transit  in  the  network,  while  the  role  state  predicates  L(e )  is  used  to  pass  control  (through 
the  predicate  symbol  L)  and  data  (by  means  of  the  elementary  terms  e )  from  one  rule  to 
the  next: 

Predicate  sequences:  Ihs  •  (Empty  predicate  sequence) 

\  Ihs,  N(t)  (Extension  with  a  network  predicate) 

\  Ihs,  L(e)  (Extension  with  a  role  state  predicate) 

The  right-hand  side  or  consequent  of  a  rule  is  a  multiset  of  predicates  as  well,  but  it 
can  be  preceded  by  a  sequence  of  existential  declarations  which  mark  data  that  should  be 
generated  freshly  (typically  nonces  and  short-term  keys): 

Right-Hand  sides:  rhs  ::=  Ihs  (Sequence  of  message  predicates) 

|  3x  :  r.  rhs  (Fresh  data  generation) 
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In  the  past,  crypto-protocols  have  often  been  presented  as  the  temporal  sequence  of 
messages  being  transmitted  during  a  “normal”  run.  Recent  proposals  champion  a  view  that 
places  the  involved  parties  in  the  foreground.  A  protocol  is  then  a  collection  of  independent 
roles  that  communicate  by  exchanging  messages,  without  any  reference  to  runs  of  any  kind. 
A  role  has  an  owner,  the  principal  that  executes  it,  and  specifies  the  sequence  of  messages 
that  he/she  will  send,  possibly  in  response  to  receiving  messages  of  some  expected  form. 
The  actions  undertaken  by  a  principal  executing  a  role  are  expressed  as  collection  of  rules, 
together  with  declarations  for  all  the  role  state  predicates  they  rely  upon. 

Rule  collections:  p  ::=  •  (Empty  role) 

|  3 L:  f.p  (Role  state  predicate  parameter  declaration) 

|  r,  p  (Extension  with  a  rule) 

The  weak  form  of  quantification  over  role  state  predicates  prevents  two  executions  of  the 
same  role  to  interfere  with  each  other  by  using  the  same  role  state  predicate  name. 

Finally,  all  the  roles  constituting  a  protocol  are  collected  in  a  protocol  theory.  Roles 
come  in  two  flavors:  generic  roles  can  be  executed  by  any  principal,  while  anchored  roles 
are  bound  to  one  specific  agent  (typically  a  server  or  the  intruder): 

Protocol  theories:  V  ::=  •  (Empty  protocol  theory) 

|  V,  pVA  (Extension  with  a  generic  role) 

|  V,  pA  (Extension  with  an  anchored  role) 

6.1.2  Example 

We  will  now  make  the  above  definitions  concrete  by  applying  them  to  the  specification  of 
an  actual  security  protocol.  The  server-less  variant  of  the  Needham-Schroeder  public-key 
protocol  [NS78]  is  a  two-party  crypto-protocol  aimed  at  authenticating  the  initiator  A  to 
the  responder  B  (but  not  necessarily  vice  versa).  It  is  expressed  below  as  the  expected  run 
in  the  “usual  notation” . 

1.  A-*  B:  {nAA}kB 

2.  B  ->  A:  {nA  TiB}kA 

3.  A  -*■  B: 

In  the  first  line,  the  initiator  A  encrypts  a  message  consisting  of  a  fresh  piece  of  information, 
or  nonce,  nA  and  her  own  identity  with  the  public  key  ks  of  the  responder  B ,  and  sends  it 
(ideally  to  B).  The  second  line  describes  the  action  that  B  undertakes  upon  receiving  and 
interpreting  this  message:  he  creates  a  nonce  ng  of  its  own,  combines  it  with  A’s  nonce  nA, 
encrypts  the  outcome  with  A’s  public  key  kA,  and  sends  the  resulting  message  out.  Upon 
receiving  this  message  in  the  third  line,  A  accesses  nB  and  sends  it  back  encrypted  with 
ks ■  The  run  is  completed  when  B  receives  this  message. 

We  will  now  express  each  role  in  turn  in  the  syntax  of  MSR.  For  space  reasons,  we  typeset 
homogeneous  constituents,  namely  the  universal  variable  declarations  and  the  predicate 
sequences  in  the  antecedent  and  consequent,  in  columns  within  each  rule;  we  also  rely  on 
some  minor  abbreviation. 
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The  initiator’s  actions  are  represented  by  the  following  two-rule  role: 


3 L  :  EB:principal.  pubK  B  x  nonce. 

VB  :  principal. 

VfcjB  :  pubK  B. 


\ 


V/t 


3ua  :  nonce. 


N(inA  A}kB) 

L{B,kB,riA ) 


\/B  :  principal. 
Vfcs  :  pubK  B 
VkA  :  pubK  A. 
\/k'A  :  privK  fcyj. 
\WnA,nB  ■  nonce. 


N^n^na}^) 

L(B,kB,nA) 


N(fna}*B)  j 


Clearly,  any  principal  can  engage  in  this  protocol  as  an  initiator  (or  a  responder).  Our 
encoding  is  therefore  structured  as  a  generic  role.  Let  A  be  its  postulated  owner.  The  first 
rule  formalizes  the  first  line  of  the  “usual  notation”  description  of  this  protocol  from  A’s 
point  of  view.  It  has  an  empty  antecedent  since  initiation  is  unconditional  in  this  protocol 
fragment.  Its  right-hand  side  uses  an  existential  quantifier  to  mark  the  nonce  nA  as  fresh. 
The  consequent  contains  the  transmitted  message  and  the  role  state  predicate  L(B,  ks ,  n^), 
necessary  to  enable  the  second  rule  of  this  protocol.  The  arguments  of  this  predicate  record 
variables  used  in  the  second  rule. 

The  second  rule  encodes  the  last  two  lines  of  the  “usual  notation”  description.  It  is 
applicable  only  if  the  initiator  has  executed  the  first  rule  (enforced  by  the  presence  of  the 
role  state  predicate)  and  she  receives  a  message  of  the  appropriate  form.  Its  consequent 
sends  the  last  message  of  the  protocol. 

MSR  provides  a  specific  type  for  each  variable  appearing  in  these  rules.  The  equivalent 
“usual  notation”  specification  relies  instead  on  natural  language  and  conventions  to  convey 
this  same  information,  with  clear  potential  for  ambiguity. 

The  responder  is  encoded  as  the  generic  role  below,  whose  owner  we  have  mnemonically 
called  B.  The  first,  rule  of  this  role  collapses  the  two  topmost  lines  of  the  “usual  notation” 
specification  of  this  protocol  fragment  from  the  receiver’s  point  of  view.  The  second  rule 
captures  the  reception  and  successful  interpretation  of  the  last  message  in  the  protocol  by 
B:  this  step  is  often  overlooked.  This  rule  has  no  consequent. 

\  VB 

'  3 L  :  principal  x  nonce.  ^ 

V&g  :  pubK  B. 

Vk'B  :  privK  ks 
\/A  :  principal. 

VkA  '•  pubK  A 
Vtia  ■  nonce. 

Vks  :  pubK  B. 

Vk'B  :  privK  ks 
VA  :  principal. 

\Vtib  ■  nonce. 


N({n^  A}kB)  3nB  :  nonce. 


L(A,  ub) 
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6.1.3  Semantics 

MSR  supports  two  static  checks  and  one  dynamic  behavior  model,  which  altogether  form 
the  semantics  of  this  formalism. 

•  The  first  static  check  is  obviously  type-checking,  whose  definition  [CerOla]  is  a  sim¬ 
ple  adaptation  of  traditional  schemes  for  dependently-typed  languages.  We  will  not 
display  the  typing  rules  of  MSR  in  this  paper,  and  we  will  implicitly  encode  their 
verification  as  type-checking  for  CLF  terms. 

•  A  more  domain-specific  test  is  data  access  specification,  or  DAS.  It  defines  which 
data  a  given  principal  is  allowed  to  access  to  construct  or  interpret  messages.  For 
example,  it  is  admissible  for  an  agent  to  look  up  the  name  and  public  key  of  any 
other  principal,  but  it  should  be  allowed  to  access  only  its  own  private  key.  Similarly, 
an  agent  cannot  guess  nonces,  but  is  allowed  to  retrieve  nonces  it  has  memorized  or 
received  in  a  network  message.  We  will  completely  ignore  DAS  in  this  paper,  although 
it  has  very  insightful  properties  and  it  will  be  very  interesting  to  study  them  within 
CLF. 

•  Finally,  MSR  rules  can  be  seen  as  a  sophisticate  form  of  Petri  net  transition:  after 
instantiation,  they  rewrite  the  facts  (tokens)  in  their  antecedent  (pre-conditions)  to 
the  facts  (tokens)  in  their  consequent  (post-conditions).  In  this  section,  we  will  give 
a  detailed  account  of  this  dynamic  behavior. 

At  the  core  of  the  MSR  equivalent  of  the  Petri  net  notion  of  marking  is  a  state.  In 
line  with  the  earlier  interpretation  of  facts  as  overgrown  tokens,  a  state  is  unsurprisingly  a 
multiset  of  fully  instantiated  facts.  We  have  the  following  grammatical  productions: 

States:  S  ::=  •  (Empty  state) 

|  S,  N(t)  (Extension  with  a  network  predicate) 

|  5,  L(t*)  (Extension  with  a  role  state  predicate) 

Observe  that  the  role  state  predicates  symbol  themselves  must  be  constants,  while  rules 
earlier  required  variable  predicate  names. 

Because  of  the  peculiarities  of  MSR,  state  do  not  provide  a  snapshot  of  execution  in  the 
same  way  as  markings  did  in  the  case  of  Petri  nets.  Since  the  right-hand  side  of  a  rule  can 

produce  new  symbols,  it  is  important  to  keep  an  accurate  account  of  what  constants  are  in 

use  at  each  instant  of  the  execution.  As  usual,  this  is  done  by  means  of  a  signature: 

Signatures  S  ::=  •  (Empty  signature) 

|  E,  a  :  t  ( Atomic  message  declaration) 

|  E,  L  :  r  ( Local  state  predicate  declaration) 

One  more  ingredient  is  needed:  MSR  rules  are  clustered  into  roles  which  specify  the 
sequence  of  actions  that  a  principal  should  perform,  possibly  in  response  to  the  reception 
of  messages.  Several  instances  of  a  given  role,  possibly  stopped  at  different  rules,  can  be 
present  at  any  moment  during  execution.  We  record  the  role  instances  currently  in  use, 
the  point  at  which  each  is  stopped,  and  the  principals  who  are  executing  them  in  an  active 
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role  set.  These  objects  are  finite  collections  of  active  roles,  i.e.,  partially  instantiated  rule 
collections,  each  labelled  with  a  principal  name.  The  following  grammar  captures  their 
macroscopic  structure: 

Active  role  sets:  R  ::=  •  (Empty  active  role  set) 

|  R,  pA  ( Extension  with  an  instantiated  role) 


With  the  above  definitions,  we  define  a  configuration  as  a  triple  C  =  [5]  £  consisting  of 
a  state  S,  a  signature  E,  and  an  active  role  set  R.  Configurations  are  transformed  by  the 
application  of  MSR  rules,  and  therefore  correspond  to  the  Petri  net  notion  of  marking. 

Given  a  protocol  V,  we  describe  the  fact  that  execution  transforms  a  configuration  C 
into  another  configuration  C'  by  means  of  the  one-step  firing  judgment  V  >  C  >  C  . 
It  is  implemented  by  the  next  six  rules  that  fall  into  three  classes.  We  should  be  able  to: 
first,  make  a  role  from  V  available  for  execution;  second,  perform  instantiations  and  apply 
a  rule;  and  third,  skip  rules. 

We  first  examine  how  to  extend  the  current  active  role  set  R  with  a  role  taken  from  the 
protocol  specification  V.  As  defined  in  Section  6.1.1,  V  can  contain  both  anchored  roles  / 
and  generic  roles  p*A.  This  yields  the  following  two  rules,  respectively: 


(?,/)>  [S]£  —  [5] 


- ex_arole 

R,pA 


(R !  >  [5]  s^principal.D' 


[5] 


R, ([A/A)p)A 

S, A:principaLE' 


-  ex-grole 


Anchored  roles  can  simply  be  copied  to  the  current  active  role  sets,  while  the  owner  of  a 
generic  role  must  be  instantiated  first  to  a  principal.  Here  and  below,  we  write  [o/x]of  for 
the  capture-free  substitution  of  object  o  for  x  in  object  o'. 

Once  a  role  has  been  activated,  chances  are  that  it  contains  role  state  predicate  pa¬ 
rameter  declarations  that  require  to  be  instantiated  with  actual  constants  before  any  of 
the  embedded  rules  can  be  applied.  This  is  done  by  the  following  rule  where  the  newly 
generated  constant  L  is  added  to  the  signature  of  the  target  configuration. 


V>  (S)"3iJ  '|A 


_ —  ex_rsp 

(E,L:f) 


An  exposed  rule  r  can  participate  in  an  atomic  execution  step  in  two  ways:  we  can 
either  skip  it  (discussed  below),  or  we  can  apply  it  to  the  current  configuration.  The  latter 
option  is  implemented  by  the  inference  rule  below,  which  makes  use  of  the  rule  application 
judgment  “r>  [5]  s  »  [S']  s,”  (described  shortly)  to  construct  the  state  S'  and  the  signature 
E'  resulting  from  the  application. 

r  t>  [5]  E  3>  [5']  jy 

_ _ _ _ _ ex-rule 

v>  [s]£(r'p)A  —  [s']£;(p)A 

The  next  two  inference  figures  discard  a  rule  (to  implement  non-deterministic  behaviors) 
and  remove  active  roles  that  have  been  completely  executed,  respectively. 

__ _________ ex-skp  1 1"*'~  1  ••  1  —  ex-dot 

v>  |S]^)A  (S]£WA  po  [S|e<  )A  — 
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When  successful,  the  application  of  a  rule  r  to  a  state  S  in  the  signature  E  produces 
an  updated  state  S'  in  the  extended  signature  E'.  This  operation  is  defined  by  the  rule 
application  judgment  “rt>[S]  s  »  [5']  s,” .  It  is  implemented  by  the  following  two  rules,  which 
respectively  instantiate  a  universally  quantified  variable  and  perform  the  actual  transition 
specified  by  the  core  of  this  rule: 

El -  t\T  \t/x)r>  [S]E  »  [S']S/  ( rhs)z  »  (IftsOs' 

- ex  all  - - ex-core 

(Vx  :  r.  r)  >  [S']  2  [S']  s»  ( Ihs  — ►  rhs)  >  (S,  Ihs]  s  [5,  lhs'\ 

Rule  ex-all  relies  on  the  type-checking  judgment  E  I-  t  :  t  to  generate  a  message  of  the 
appropriate  type.  Rule  ex-core  identifies  the  left-hand  side  Ihs  in  the  current  state  and 
replaces  it  with  a  substate  Ihs'  derived  from  the  consequent  rhs  by  means  of  the  right-hand 
side  instantiation  judgment  “(rhs)z  » (lhs')z”  discussed  next. 

The  right-hand  side  instantiation  judgment  instantiates  every  existentially  quantified 
variable  in  a  consequent  rhs  with  a  fresh  constant  of  the  appropriate  type  before  returning 
the  embedded  predicate  sequence: 

([a /x]r/is)(S)a:T)  » (lhs)v 

- exjinc  - ex-seq 

(3x  :  r.  rhs)^  >  (Ihs)x'  (^)s  (lhs)z 

The  one-step  firing  judgment  we  just  described  corresponds  to  the  application  of  a  Petri 
net  transition  relative  to  a  given  marking.  This  operation  can  be  used  as  the  basis  of  either 
an  interleaving  semantics  akin  to  what  we  described  in  Section  5.2.1,  or  of  a  trace  semantics 
which  extends  the  construction  in  5.2.2.  The  former  is  defined,  as  expected,  as  the  reflexive 
and  transitive  closure  of  the  one-step  execution  judgment  and  will  be  denoted  “V>  C  — 

Ch\  The  definition  of  the  latter  is  a  simple,  but  rather  long  extension  of  the  analogous 
concept  for  Petri  nets:  we  will  not  formalize  it  in  this  document.  The  interested  reader 
can  find  formal  definitions  relative  to  an  earlier  version  of  MSR  in  [CDL+OO].  This  same 
reference  present  a  detailed  analysis  of  the  relation  between  these  two  form  of  semantics, 
and  ultimately  a  proof  of  their  equivalence. 

6.2  CLF  Encoding 

We  will  now  build  on  the  encoding  of  Petri  nets  presented  in  Section  5.  We  describe  the 
CLF  representation  of  messages,  rules  and  ultimately  protocol  theories  in  Section  6.2.1.  We 
make  these  definition  concrete  in  Section  6.2.2  by  applying  them  to  our  on-going  example. 
Finally,  in  Section  6.2.3,  we  state  the  adequacy  theorems  for  this  encoding,  although  we  do 
not  present  proofs. 

6.2.1  MSR 

We  will  now  describe  the  CLF  representation  of  the  various  constituents  of  the  MSR  instance 
discussed  in  Section  6.1.  We  start  with  messages. 
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For  the  sake  of  simplicity,  we  will  map  MSR  types  directly  to  types  in  CLF.  The 
grammar  for  the  object  types  (left)  yields  the  signature  fragment  displayed  at  right. 


principal 

'  principal 

type. 

nonce 

nonce 

type. 

shK  A  B 

shK 

principal  — ►  principal  — ►  type. 

pubK  A 

< 

pubK 

:  principal  — ► type. 

privK  k 

privK 

:  IL4 :  principal.  pubK  A  — >  type. 

msg 

.  msg 

:  type. 

With  this  definition,  type-checking  in  MSR  will  be  emulated  by  the  analogous  check  in  CLF. 
A  more  detailed  study  of  the  type  system  of  our  object  language  (to  prove  type  preservation 
results,  or  to  talk  about  ill-typed  messages,  for  example)  would  require  a  different  encoding 
which  represents  MSR  types  as  CLF  objects. 

The  above  definition  does  not  reflect  the  presence  of  a  subtyping  relation  in  MSR.  Since 
CLF  does  not  natively  support  subtyping,  we  will  emulate  it  by  introducing  a  number 
of  type  coercion  symbols  that  mediate  between  objects  standing  for  principals,  etc.,  and 
messages  (of  type  msg).  It  should  be  noted  that  while  this  technical  device  is  adequate 
for  the  simple  instance  of  MSR  considered  in  this  document,  it  would  not  work  in  more 
general  settings,  in  particular  in  situations  where  a  sort  has  more  than  one  supertype.  A 
more  complex  encoding  would  then  be  required. 


principal  ::  msg 

nonce  ::  msg 

—  < 

shK  AB  ::  msg 

pubK  A  ::  msg 

p2m  :  principal  — *  msg. 
n2m  :  nonce  — ►  msg. 
sk2m  :  shK  AB  -»  msg. 
pk2m  :  pubK  A  — ►  msg. 


Here,  the  arguments  A  and  B  are  implicitly  n-quantified  at  the  head  of  the  appropriate 
declarations.  We  assume  that  implicit  arguments  can  be  reconstructed,  as  is  normally  the 
case  in  LF. 

Before  displaying  the  encoding  of  messages,  we  need  to  introduce  CLF  constants  that 
stand  for  their  constructors.  We  will  use  the  following  declarations  to  represent  concatena¬ 
tion,  shared-key  encryption  (although  not  used  in  our  example),  and  public-key  encryption. 

+  :  msg  — >  msg  — >  msg.  (infix) 

sEnc  :  shK  A  B  — ►  msg  — >  msg. 
pEnc  :  pubK  A  — *  msg  ->  msg. 


With  these  definitions,  we  have  the  following  encoding  of  messages: 


(Principals) 

rAn 

=  p2m  A 

(Nonce) 

rn~' 

=  n2m  n 

(Shared  keys) 

rk n 

=  sk2m  k 

(Public  keys) 

rk n 

=  pk2m  k 

(Concatenation) 

rh  t2n 

=  rt^  +  rt2n 

(Symmetric-key  encryption) 

=  sEnc  k  rtn 

(Asymmetric-key  encryption) 

1  =  pEn  ckrt~~i 
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Here,  we  assume  we  can  tell  shared  keys  from  public  keys,  which  is  immediate  with  the  help 
of  a  typing  derivation. 

We  complete  the  presentation  of  the  CLF  constants  needed  for  MSR  with  the  follow¬ 
ing  declarations  for  the  network  predicate  and  some  infrastructure  supporting  role  state 
predicates: 

net  :  msg  — ►  type. 

rspArg  :  type. 

rsp  :  rspArg  — >  type. 

MSR  facts  are  represented  as  CLF  dependent  types.  For  example,  the  network  predicate 
N(ne)  is  encoded  as  the  type  net  (n2m  ng).  Role  state  predicates  are  however  generated 
dynamically,  but  CLF  does  support  not  any  form  of  quantification  over  type  symbols.  We 
resolve  this  issue  by  introducing  the  type  rspArg:  an  MSR  declaration  L: f  for  a  role-state 
predicate  L  will  be  represented  by  a  CLF  declaration  for  an  object  L  that  will  take  arguments 
as  specified  in  r,  but  whose  target  type  will  be  rspArg.  Thus,  any  occurrence  of  a  fact  L(t) 
in  a  role  will  be  encoded  as  the  CLF  type  rsp  (Lrt _l)  as  described  below. 

Let  £msr  be  the  signature  obtain  by  collecting  all  of  the  above  declarations. 

We  now  move  to  the  representation  of  the  higher  syntactic  level  of  an  MSR  specification. 
We  start  with  rules  and  their  component.  The  encoding  rrn  of  a  rule  r  is  given  as  follows: 

rlhs^rhs'1  =  rlhsn^Ths^ 
r\/x  :  t.  r"1  =  He  :  r.  rr"' 

The  core  of  a  rule  is  the  object  of  the  same  representation  technique  seen  in  Section  5.3.1  for 
Petri  net  transitions.  As  formalized  below,  the  antecedent  will  be  rendered  as  a  sequence 
of  linear  implications  while  the  consequent  is  mapped  to  the  monadic  encapsulation  of  an 
asynchronous  CLF  formula.  The  outer  layer  of  universal  quantifiers  is  simply  emulated  by 
dependent  types. 

As  anticipated,  we  unfold  the  left-hand  side  of  a  rule  as  a  (possibly  empty)  sequence  of 
linear  implications: 

r.nR  =  R 

rN(t),  lhsnR  =  rlhs^netrt"^V 

rL(t),  lhsnR  =  r//isnrsprf"i-°-R) 

Here,  R  is  a  CLF  expression  representing  the  right-hand  side  of  the  rule.  Role  state  pred¬ 
icates  are  encoded  by  applying  each  argument  to  the  name  of  this  predicate  (we  applied  a 
similar  technique  in  Section  5.3.3  to  represent  the  application  of  a  transition  in  an  execution 
sequence)  and  feeding  the  result  as  an  index  to  the  type  family  rsp: 

r*nM  =  M 

rt,tnN  =  rfnMt 

The  facts  in  the  right-hand  side  of  a  rule  are  tensored  together  while  the  existential 
quantifiers  are  mapped  to  the  analogous  constructs  of  CLF. 

3x  :  r.  rrhsn 
1 

net  r£n  0  rhs 
rsp  rtnL  ®  rhs 


r3x  :  r.  rfts"1  = 


rN(£),  rhs n  = 
rL{t),  rhs n  = 
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For  the  sake  of  brevity,  we  made  this  encoding  slightly  more  general  than  necessary  by  allow¬ 
ing  occurrences  of  the  data  generation  construct  embedded  within  a  sequence  of  predicates. 
Clearly,  this  can  easily  be  fixed. 

A  rule  collection  is  encoded  by  tensoring  together  the  representation  of  the  individual 
rules  that  constitute  it,  while  the  role-state  predicate  declarations  are  mapped  to  existential 
constructions  in  CLF: 

i-.-i  =  1 

r3L:f.p“l  =  3  L:rr~l.rpn 

rr,  p'  =  rr'1  <g>  rpn 

The  type  tuple  f  in  this  definition  is  curried  as  a  iterated  dependent  types  with  rspArg  as 
the  target  type: 

r-n  =  rspArg 

rYiX:r.  r"1  =  Hx:T.rT~l 

Finally,  a  protocol  theory  is  rendered  in  CLF  by  giving  one  declaration  for  each  con¬ 
stituent  role.  Anchored  role  are  represented  by  means  of  a  monad  containing  the  encoding 
of  the  corresponding  rule  collection.  The  representation  of  generic  roles  differs  only  by  an 
additional  quantification  over  its  owner.  In  both  cases,  we  assign  a  name  to  each  role.  This 
list  of  declarations  is  preceded  by  the  common  definitions  for  an  MSR  specification  collected 
in  S  msr  • 

r,_l  =  Smsr 

rV,  pVAn  =  r'P~[,  idp  :  IIA:  principal.  {  rp~l  } 
rV,  pAn  =  rPn,  idp  :  {  rpn  } 

6.2.2  Example 

We  now  apply  the  representation  function  outlined  in  the  previous  section  to  our  running 
example:  the  Needham-Schroeder  public  key  protocol.  The  initiator  role  is  represented  by 
the  following  declaration: 

nspkJnit :  IL4:  principal. 

{  3L  :  ILB :  principal.  pubK  B  ->  nonce  -►  rspArg 

.  IIB:  principal.  IlfcB^pubKB. 

{  3n,4  :  nonce 

.  net  (pEnc  ks  ((n2m  ua)  +  (p2m  A))) 

®  rsp  (L  B  ks  ua) 

®  1  } 

®  I1B:  principal,  fifes  :pubKB. 

YlkA :  pubK  A.  IIfc^:privK  fc^. 

TYriA'  nonce,  nns:  nonce. 

net  (pEnc  kA  ((n2m  tia )  +  (n2m  ns))) 

— o  rsp  ( L  B  kB  tia) 

-o  {  net  (pEnc  fes  (n2m  ns))  } 

®  1  } 

<g>  1 

} 
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We  invite  the  reader  to  compare  this  CLF  declaration  to  the  MSR  role  it  represents  (in 
Section  6.1.2).  With  the  exception  of  a  few  details  discussed  in  a  moment,  this  translation 
is  very  direct.  We  have  however  the  following  discrepancies: 

•  MSR’s  subtyping  is  mapped  to  coercions  in  CLF.  While  this  is  acceptable  in  this  ex¬ 
ample,  this  encoding  would  not  be  adequate  for  more  sophisticated  situations.  Treat¬ 
ing  these  cases  would  require  either  a  more  complex  encoding,  or  the  investigation  of 
extensions  to  CLF. 

•  A  role  state  predicate  L(t)  is  represented  indirectly  as  the  constant  symbol  rsp  applied 
to  a  dynamically  generated  function  symbol  L  that  takes  the  representation  of  t  as 
arguments.  While  CLF  forces  our  hand  on  this,  we  believe  that  the  definition  of  MSR 
could  be  seamlessly  adapted  to  reflect  a  similar  behavior. 

•.  Rule  consequents  and  roles  are  terminated  by  an  omnipresent  1.  We  could  have  given 
a  slightly  more  tedious  encoding  which  removes  unnecessary  l’s. 

The  encoding  of  the  responder  is  analogous  and  the  object  of  similar  remarks: 

nspk_resp  :  ILB:  principal. 

{  3 L  :  principal  — »  principal  — ►  nonce  — ►  rspArg 

.  life#:  pubK  B.  UkB :  privK  kB. 

II A :  principal.  Ilfc^ :  pubK  A. 

Tin  a  *  nonce. 

net  (pEnc  kB  ((n2m  ua)  +  (p2m  A))) 

-o  {  3tib  :  nonce 

.  net(pEnc/c,4  ((n2m  ua)  +  (n2m  ng))) 

<g>  rsp  ( L  A  ns) 

®  1  } 

®  UA:  principal. 

UkB :  pubK  B.  Uk'B :  privK 
IlnB^nonce. 

net  (pEnc  kB  (n2m  nB)) 

-o  rsp  (LA  nB) 

^{i} 

®  i 

} 

6.2.3  Adequacy  Results 

In  order  to  discuss  the  adequacy  of  the  representation  of  MSR  just  presented,  we  need  to 
define  the  representation  of  the  execution  judgment  V  >  C  — ^  C '  of  this  language. 
Similarly  to  the  case  of  Petri  net  markings,  the  two  sides  of  this  judgment  will  be  have 
distinct  representation:  the  antecedent  C  will  be  encoded  as  a  context,  while  the  consequent 
C'  as  a  synchronous  CLF  formula.  The  protocol  theory  V  becomes  the  signature  of  the 
corresponding  CLF  judgment. 
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We  start  by  giving  the  representation  of  configuration  on  the  left-hand  side  of  the  multi- 
step  execution  judgment.  We  map  the  signature  part  to  a  sequence  of  declarations  in  the 
unrestricted  CLF  context,  while  the  state  and  the  active  role  components  are  translated  as 
a  set  of  linear  declarations: 


r  a 


The  encoding  of  a  signature  on  the  left-hand  side  simply  discharges  its  constituents  as 
unrestricted  context  declarations: 

r.i(l) 

r£, a  :  Tn^  -  r£n(1\a:r 

r£,  L  :  r"1^)  =  r£"l(1\L  :  rf~l 

Recall  that  MSR  types  are  mapped  to  CLF  types.  The  encoding  of  type  tuples  was 
given  earlier. 

Each  element  in  a  state  S  is  rendered  as  a  linear  declaration  in  CLF .  Clearly,  we  need 
to  prefix  each  declaration  with  a  distinct  variable  name  (which  we  generically  call  x  here). 
The  encoding  of  the  individual  elements  was  given  in  Section  6.2.1. 

r.-i(l) 

r5,N(t)',(1)  =  rSn(1),  zTnetT 
r5,L((f)n(1)  =  rSn(1),  x:  rsp  rt~'L 


The  left-hand  encoding  of  active  roles  is  similar: 


r.-i(l) 

rR,p^{1)  =  riT(1\  z-rp n 


We  now  turn  to  configurations  C'  =  [5']  that  appear  on  the  right-hand  side  of  the 
MSR  execution  judgment.  Intuitively,  we  want  to  represent  C  as  a  synchronous  CLF  formula 
obtained  by  tensoring  the  encodings  of  the  components  of  the  state  S'  and  the  active  role  set 
R1,  prefixed  by  existential  quantifications  over  the  signature  S'.  This  is  however  inadequate 
unless  C'  is  reached  from  a  configuration  with  an  empty  signature.  In  general,  we  must 
omit  a  prefix  £  of  the  signature,  corresponding  to  the  constants  available  at  the  beginning 
of  the  considered  execution  sequence.  The  encoding  of  C'  is  therefore  relative  to  E.  This 
intuition  is  formalized  as  follows,  where  H'  has  been  expanded  as  E,  E  . 


rrcqfi'  i(2”)  _  ry'ht2") 

Pi£, 2"  Ir  ~  ^  <rR’ 


(r#/-i(2")(gr5/-i(2")) 


We  anticipated  that  the  encoding  of  the  state  and  active  role  set  components  of  a 
configuration  is  obtained  by  tensoring  the  representation  of  their  constituents.  This  is 
formalized  as  follows: 


r.i(2")  —  ^  r.~i(2  )  =  1 

rS,N(f)'|(2">  =  rSn(2")  <g>  netT  rR,p/Kn{2")  =  rir(2")  ®  V 

rS,  Li(f)'l(2")  =  rSn(2">  ®  rsp  rtnL 
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The  result  of  this  operation  is  prefixed  by  a  sequence  of  existential  quantifiers  guided  by 
the  signature  fragment  under  examination: 


r.n(2") 

r£',  L  ■.t'P 


=  S 

-  ^  3 a:r.  5 
_  ry»n(2,;) 

-  ^  3L:rf->.  5 


With  the  help  of  these  definition,  we  propose  the  following  statement  for  the  adequacy 
of  our  representation  of  MSR.  While  we  have  not  formally  proved  it,  we  expect  that  a  proof 
can  be  achieved  by  using  the  proof  of  adequacy  for  Petri  nets  given  in  Section  5.3.4  as  a 
mold,  and  refining  it  to  accommodate  the  idiosyncrasies  of  MSR. 

Expected  Result  6.1.  ( Adequacy  of  the  representation  of  MSR  execution  in  CLF) 

Let  V  be  a  protocol  theory  and  C  and  Cf  two  configurations  with  C  =  [S]f?.  There  is  a 
bisection  between  derivations  of  the  MSR  multi-step  execution  judgment 

V  >  C  — Cl 


and  terms  E  such  that  the  judgment 

rCn(1)  hr p-,  E'*-  rC'~'P 


is  derivable  in  CLF. 

The  structure  of  the  term  E  mentioned  in  this  result  is  similar  to  what  we  obtained  in  the 
case  of  Petri  nets.  Rule  applications  are  mapped  to  let  expressions  exactly  like  transition  in 
Section  5.3.4.  The  presence  of  existential  quantifiers  account  however  for  a  richer  encoding. 
Finally,  the  manipulation  of  roles  is  another  source  of  let  terms. 

7  Conclusions 

CLF  extends  the  expressive  power  of  the  LF  family  of  logical  frameworks  by  permitting 
natural  and  adequate  encodings  of  a  large  class  of  concurrent  systems.  This  technical 
report  evaluates  this  new  formalism  on  four  case  studies  which  all  embed  different  models 
of  concurrency:  the  7r-calculus,  Concurrent  ML  with  futures  a  la  Multilisp,  Petri  nets,  and 
the  multiset  rewriting  based  security  protocol  specification  language  MSR.  One  of  the  next 
tests  for  the  framework  will  be  the  development  of  techniques  that  allow  us  to  state  and 
prove  properties  of  computations  in  CLF  and  to  explore  formal  encodings  of  the  metatheory 
of  our  applications. 
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A  Syntax  and  judgments  of  CLF 

A.l  Syntax 

Definition  11  (Type  constructors). 

A,B,C  ::= 

A-o  B  \  ILr: A  B  \  AHz  B  \  T  \  {S'}  |  P 

Asynchronous  types 

P  ::= 

a\PN 

Atomic  type  constructors 

s-.~ 

Si®S2\1\3x:A.S\A 

Synchronous  types 

Definition  12  (Kinds). 

K,  L  ::=  type  |  11*:  A.  K 

Kinds 

Definition  13  (Objects). 

N 

:=  %x.N  |  Ax.  N  |  (Ni,N2)  \  ()  |  {E}  \  R 

Normal  objects 

R  : 

:=  c  |  x  |  RaN  \RN\riR\  i t2R 

Atomic  objects 

E 

:=  let  {p}  =  R  in  E  \  M 

Expressions 

M  : 

:=  Mi  <S>  M2  |  1  |  [N,  M\  |  N 

Monadic  objects 

V ■ 

:=  Pi  ®P2  I  1  1  [x,p]  1  x 

Patterns 

A.  2  Equality 

Definition  14  (Concurrent  contexts). 


e  _  |  let  {p}  =  R  in  e  Concurrent  contexts 


Definition  15  (Equality). 

E\  =c  E2 


[Concurrent  equality ] 


Mi  =  M2  _ i?i  =  R2  Ei  =c  4E2] _  * 

M\  =c  M2  (let  {p}  =  R\  in  Ei)  =c  e[let  {p}  =  R2  in  E2] 

[Expression  equality] 


Ei  — c  E2 

Ei  =  E2 


Ni  =  N2  Ri=  R.2  My  =M2  Pi  =  P2 


[ Other  equalities] 


(All  congruences.) 

The  rule  marked  (*)  is  subject  to  the  side  condition  that  no  variable  bound  by  p  be  free 
in  the  conclusion  or  bound  by  the  context  e,  and  that  no  variable  free  in  R2  be  bound  by 
the  context  e. 
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A. 3  Instantiation 
Definition  16  (Instantiation). 

treduce^a:.  R)  =  B  [Type  reduction] 

treduce,i(x.x)  =  A 

treduce^fx.  R  TV)  =  C  T/treduce,4(x.  i?)  =  Uy  :B.  C  . 

treduce>i(x.  i?ATV)  =  C  i/treduce,i(x.  R)  =  B  -o  C 
treduce^(x.  7rjjR)  =  B\  i/treduce^x.  R)  =  B\k  B% 
treduce^x.  7T2 R)  =  i?2  i/treduce^(x.  R)  =  Bi  &  B 2 

reduce^  (x.  TVo)  =  TV'  [Reduction] 

reduce^  (x.  x,  iVo)  =  iVo 

reduce^ (x.  T?  A,  TVo)  =  inst.n£(y.  A',  inst-n^x.  N,  No)) 

if  treduce^x.  R)  =  IIj/ :  B.  C  and  reduce^ (x.  R,  No)  =  Xy.  N' 
reduce^ (x.  R*N,  No)  =  inst_na(y.  N1,  inst.n^(x.  N,  No)) 

if  treduce>i(x.  R)  =  B  -o  C  and  reduce^ (x.  R,  No)  =  Xy.  TV' 
reduce^(x.  7ri R,  No)  =  N[  if  reduce^ (x.  R,  No)  =  (N[,  N2) 
reduce^ (x.  n^R,  No)  =  N'2  if  reduce^x.  R,  No)  =  (N[,N2) 

inst_rx(x.  R,  No)  =  R'  [Atomic  object  instantiation] 

inst_r/i(x.  c,No)  =  c 

inst_r/i(x.  y,  No)  =y  ifyis  not  x 

inst_r/i(x.  R  N,  No)  =  (inst_r/i(x.  R,  No))  (instJi^x.  N,  No)) 
inst_r/i(x.  R*N,No)  =  (inst_r,i(x.  R,  Ao))A(inst_r/i(x.  N,No)) 
inst.ryi(x.  7TiJ?,  JVo)  =  7ri(inst.rJ4(x.  R,  No)) 
inst_r,n(x.  7r2 R,  No)  =  7r2(inst_r/i(x.  R ,  No)) 

inst_n^(x.  TV,  Nq)  =  N'  [Normal  object  instantiation] 

inst-rM(x.  Xy.  TV,  No)  =  Xy.  inst_n/i(x.  TV,  TV0)  ify  ^  FV(TV0) 

inst_n/i(x.  %y.  TV,  No)  =  %y.  inst.n>i(x.  TV,  TV0)  ify  £  FV(TV0) 

inst_n,4(x.  (TVi,  i\V2),  TV0)  =  (inst_n^(x.  TVi,  TV0),  inst_rM(x.TV2,TVo)) 

inst_rM(x.  (),TV0)  =  () 

inst_n/1(x.  {E},N0)  =  (inst_e,i(x.  E,  TV0)} 

inst_n^(x.  R,  No)  =  inst-r^x.  R,  No)  if  head(.R)  is  not  x 

inst_n/i(x.  R,  Nq)  =  reduce^(x.  R,  Nq)  i/treduce>i(x.  R)  =  P 
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inst_rri/i(x.  M,  No)  =  M' 


[Monadic  object  instantiation] 


\nst.mA(x.  Mi  ®M2,N0)  =  inst_m^(x.  Mu  No)  ®  inst_m„(x.  M2,N0) 
inst_iru(a;.  1,  No)  =  1 

inst.nu(x.  [W,Ml,JVo)  =  [inst-n^x.  N,N0),mst.mA(x.M,N0)} 
inst  jtm(x.  N,  No)  =  inst  jm(x.  N,  No) 

jnst.e^x.  E, No)  =  E'  [Expression  instantiation] 

inst-Mx.let  {p}  =  R  in  E,N0)  =  (let  {p}  =  inst.r A(x.R,N0)  in  inst _eA(x.E,N0)) 
i/head(R)  is  not  x, 
and  FV(p)  n  FV(N0)  is  empty 

inst_e,i(x.  let  {p}  =  R  in  E, N0)  =  match_es(p.  inst_e,j(x.  E,  N0), E') 
if  treduceA(x.  R)  =  {5},  reduce/4(x.  R,  No)  =  {E'}, 
and  FV(p)  n  FV(AT0)  is  empty 
inst.e,4(x.  M,  N0)  =  inst.rru(x.  M,  No) 

match_m s(p.  E,  Mo)  =  E'  lMatch  monadlc  ob^ 

match.m5l®s2(Pi  ®  P2-  E,  Mi  ®  M2)  =  match_m52(p2-  match.mSl  (pi-  E,  Mi),  M2) 
i/FV(p2)  n  FV(Mi)  is  empty 
match_mi(l.  2£,  1)  =  E 

match-max :  Pi •  E,  [N,M])  =  match_ms'(p.  inst_e>i(x.  E,  N),M) 

ifFV(p)r\FV(N)  is  empty 
match_m/i  (x.  E,  N)  =  inst-e^x.  E,  N) 

match  _es(p.  E,  &)  =  £' 


match_es(p.  E ,  let  {po}  =  -Ro  in  Ro)  =  let  {po}  —  -Ro  in  match_es(p.  E,  Eo) 
if  FV (po)  n  FV (E)  and  FV (p)  n  FV (Eo)  ore  empty 
match_es(p.  E,  Mo)  =  match_ms(p.  E,  M0) 


inst-pj4(x.  P,  No)  =  P' 
inst.a,4(x.  A,  No)  =  A' 
\nst.sA{x.S,No)  =  S' 
\ost-kA{x.  K,  No)  =  K' 


[Atomic  type  constructor  instantiation] 
[Type  instantiation] 
[Synchronous  type  instantiation] 
[Kind  instantiation] 


(Analogous.) 


A. 4  Expansion 
Definition  17  (Expansion). 
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expand^  (i?)  =  N 


[Expansion] 


expa  ndp  (R)  =  R 

expand/i_oB(J?)  =  ^x.expandB(i?A(expand/i(a:)))  if  x  ^  F V(i?) 
expandnx:AB(i?)  =  Aa:.expandB(.R  (expand^a:)))  if  x  £  FV(R) 
expand_44,B(i?)  =  {expand/1(7rii?),expandB(ir2i?)) 
expandT(il)  =  () 

expand^  (i?)  =  (let  {p}  =  R  in  pexpand5(p)) 

pexpands(p)  =  M  [Pattern  expansion] 

pexpandSl(g,S2  (pi  <g>  p2)  =  pexpand5l  (pi)  <g>  pexpand52  (p2) 
pexpandj(l)  =  1 

pexpand3x:>i,5([a;,p])  s  (expand^*),  pexpand5(p)] 
pexpand^a;)  =  expand^(x) 

A. 5  Typing 

Definition  18  (Signatures  and  contexts). 


E  ::=  •  |  J2,a:K  \  Z,c:A  Signatures 

r  ::=  ■  |  r, X'.A  Unrestricted  contexts 

A  •  |  A,  x^A  Linear  contexts 

iff  |  p^S,  \I>  Pattern  contexts 

Definition  19  (Typing). 

I-  £  0k  [ Signature  validity] 

h  E  ok  •  hs  K  <=  kind  I-  E  ok  •  hs  A  <=  type 
h  •  ok  I-  E,  a: K  ok  hE,c:>lok 


1-2  T  ok 


r  hs  A  ok 


n-E  \f'  ok 


[Context  validity] 


hg  T  ok  r  hg  A  <=  type 
hs  •  ok  l-£  r,  a;:j4ok 

[Linear  context  validity] 

r  hs  A  ok  r  h£  A  4=  type 
r  hE  •  ok  r  hs  A,  a :*A  ok 

[Pattern  context  validity] 

r  hg  S  4=  type  r  hs  ^  ok 
r  hs  •  ok  r  h2  p*S,  9  ok 
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r  bs  K  4=  kind 


T  h  type 


[Kind  checking] 

r  1-4  4=  type  r,x:4  h  K  4=  kind 
kind  typeKF  r  I-  Ylx  -.A.  K  4=  kind  11 

[Type  checking] 


r  h-£  A  4=  type 

ThA^type  r,i:j4h  B-(=  type  r  b  P  ^  type 

-  r  |-  IIx :  A  P  4=  type  UF  T\~P  4=  type  =** P 

r  b  A  4=  type  r  I-  P  4=  type 

T\-  A-o  B  <=  type  ~~° 

T  I-  A  4=  type  T  b  B  4=  type  c  _ _ 

r  h  A  &  B  4=  type  &  r  b  T  4=  type 

T  I-  S  4=  type 


TF 


T  I-  {5}  4=  type 


(}F 


r  1-2  S  4=  type 


0F 


[ Synchronous  type  checking] 

IF 


F  I-  1  4=  type 


r  h  zP^k 


ri-  5i  <=  type  fb  S2  4=  type 
r  h  5i  0  S2  4=  type 

r  b  A  4=  type  r,  x :  A  b  S  4=  type 
r  b  3x:A.S  4=  type 

[Atomic  type  constructor  inference] 

r  I-  P  =4  Hr:  A  Pf  IT1;  •  b  iV  4=  4  ^ 

r  b  a  =4  £ (a)  a  rh  P  N  =4  inst-Mx.  PT,  A/) 


rhsN<=A 


r,  x :  4;  A  I-  N  4=  P 


ra 


r;  a  i-  b  =>  p'  p'  =  p 
r;  a  h  p  4=  p 


[Normal  object  checking] 


T\  A  Xx.  N  <=  Ylx :  A.  B 

T;  A,xA4  HW4B 

— : — - ol 

T;  A  b  Ax.  N  4=  A  -o  P 

r;  A  b  iVi  4=  A  r;AhJV24fi 
T;  Ah  ( ATi , A/2)  4=  4  &;  P 


r;  a  i-  (>  4=  t 


TI 


r;  a  h  p  <-  s 


{}i 


T;  Ah  {P}  4=  {5} 

p  |_  ft  ^4  [Atomic  object  inferencej 

r;AhP4lIi:AB  r;  •  b  N  <=  A  __ 

p  ■  i  . ■—  1  *" "  1 1  hi 

r;.hc4E(c)  r;  •  b  x  =4  T(x)  r;  Ab  PJV  =4  inst_a,4 (x.P,JV) 

a  I  n  .  A  _  7“)  I-'.  A  _  I _  7VT  u _  A 


X 


T;  x*A  1-  x  =4  A 

T;AI -  P  =>  4  &;  P 
]?;  A  b  7TiP  =4  A 


r;  Ai  I-  R  =>  A  -o  J3  r;  A2hiV4A 

T;  Ai,A2i-PAN=>  P 

r;AbP=>4&P  .  _ 
&El  r;  A  I-  tt2P  =4  B  &E2 
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[Expression  checking ] 


r;  A  hj;  £  <-  S 

r;  Ai  h  R  =»  {go}  T;  A2;p^50h.E^-5 
r;  Ai,A2h(let{p}  =  .Rin£)^S  *'** 

T;  A;  ^  1-2  jE  <—  5 

r;Ah£^S 
r;  A;  •  I-  E  «-  5  ^4“ 

r;  r;  A;  $  h  E  <-  5 

r;  A;Pl®^Si®52,^£-S  r;  A;  1*1,  h  £  «-  S 

T,x:A-,  A;  p^j^KEj-g  r;  A,aA4;tth£<-5  AL 

T;  A;  [*, p]*3*:  A Sb,«  «-£«-$  T;  A;  h  £  -  S 

T;  Ah s  M  4=  5  [Monadic  object  checking] 

T;  Ai  I-  Mi  <=  5i  T;  A2  I-  M2  4=  S2  ,  __  ,j 

T;  Aj,  A2  h  Mi  <g>  M2  <=  5i  ®  S2  0  r;  -  H  1  <=  1 

r;-hi\T<=i4  T;A1-M^=  inst_S/i(a;.  S,  N) 

T;  Ah  [iV,M]  <=  3x:A5 

B  Adequacy  of  the  Synchronous  7r-calculus 

For  the  sake  of  brevity,  we  combine  unrestricted  (r)  and  linear  (A)  contexts  into  a  single 
context  T  throughout  this  appendix.  We  also  omit  leading  7r-quantifiers  and  the  corre- 
sponding  applications. 

B.l  Syntax  and  Semantics 
B.1.1  Syntax 

Process  Expressions  P  ::=  ( P\Q )  |  newwP  \  \P  \  M 
Sums  M  ::=  0  |  c  +  M 

Actions  c  ::=  r.P  \  u(v).P  \  u<v>.P 


r;  A  h  M  4=  s  ^ 
r;  A  h  M  «-  s 

[Pattern  expansion] 
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B.1.2  Structural  Equivalence 


P  =  P  I  0 


str\ 


sfr2 


new u(P  |  Q)  =  P  |  (new uQ) 
str7 


P\Q  =  Q\P'”"*  P\(Q\R)  =  (P\Q)\R 

str 5  (if  u  $  P) 


str3 


P  =  P 
P  =  P' 


P\Q  =  P'\Q 

M_=JP 
c  +  M  =  c  +  M‘ 


p  —  p' 

Fp^FF  str 17 


p  =  Q  , 

Q  =  P  Str* 


str  io 
7  stru 


P  =  P' 


new  uP  =  new  ti  P 


7  str ii 


c  =  c' 


c  +  M  =  c'  +  M 
P  =  P' 

u(v).P  =  u(v).P 


0  s  new  u  0 
str6 


str4 


new  u  new  t;  P  =  new  w  new  ti  P 
P=R  R=Q 


!P  =  !P  I  P 


P  =  Q 
str  12 


strg 

P  =  P' 


IP  =  \P‘ 


7  strn 


stri5 
7  stris 


Cl  +  C2  +  M  =  C2  +  Cl  +  M 
P  =  P' 


stri6 


u(v).P  =  u(v).P‘ 


7  5^19 


B.1.3  Reduction 


r.P  +  M  — >P  redl  (tt(y).P  +  Mi)  |  (u(u).Q  +  M2)  — ♦  P[v/y]  |  Q 


red,2 


P  =  P'  P'  — *  Q'  Q'  =  Q 


Q 


redz 

P — ►  P' 


P' 


P\Q  — >P'\Q 


new  uP 

red?, 


new  u  P 


7  red/i 


B.1.4  Multi-Step  Reduction 


P  =  <3 
P  — >*  Q 


rede 


R  R 


Q 


Q 


red7 


B.1.5  Normal  Processes 

To  simplify  our  adequacy  proof,  we  borrow  the  idea  of  a  process  in  standard  form  (which 
we  call  a  normal  process)  from  Milner. 

Definition  20.  ( Normal  Process  F) 

P  ::=  new«i .. .% !Pi  |  ...  |  !Pm  I  Mi  |  ...  |  Mfc 

Definition  21.  ( Normal  Reduction  — >“) 

Normal  reductions  have  either  of  the  following  forms: 

•  new  ui . . .  tin  !Pi  I  •  •  •  I  'Pm  I  Mi  |  . . .  |  M*,  |  r.P 


new  tii ...  ti„  !Pi  |  ...  |  !Pm  I  Mi  |  ...  |  M*,  |  P 
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•  newtti ..  ,un  \Pi  |  ...  |  \Pm  |  M\  \  . . .  |  Mk  \  u(w).P  +  M[  \  u(v).Q  + 


new  u\ . . .  un  \P\  |  . . .  |  \Pm  \  M\  \  . .  ,  \  Mk  \  P[v/w ]  \  Q 


Lemma  22. 

If  p  then  there  exists  an  F  such  that  P  =  F  and  F  Q'  and  Q'  =  Q. 
Proof.  By  induction  on  the  derivation  P  -*  Q. 


B.2  The  Encoding 
B.2.1  Syntactic  Classes 


chan 

type. 

expr 

type. 

sum 

type. 

act 

type. 

□ 


B.2. 2  Pi-Calculus  Terms 


par  :  expr  — *  expr  — *  expr. 
new  :  (chan  — >  expr)  — >  expr. 
rep  :  expr  — *  expr. 

sync  :  sum  — *  expr. 

null  :  sum. 

alt  :  act  — >  sum  — >  sum. 

silent  :  expr  — *  act. 

in  :  chan  — >  (chan  — >  expr)  — >  act. 

out  :  chan  — >  chan  — »  expr  — >  act. 

proc  :  expr  — ►  type. 


B.2.3  Representation  of  syntax 

rP\Qn  =  par  rPn  rQn 
rnew«P"1  =  new  (Xu.  rP~>) 
r\P~'  =  rep  rPn 
rM~*  =  sync  irM"n 


"■O'71  =  null 

rc  +  M ■"  =  alt  nrc_m  irM_n 


^T.P-™  =  silent  rPn 
ITru(u).P_rT1  =  inu(Av.rPn) 
nrti(t»).P'™  =  out  u  v  rP_1 
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In  the  proof  of  adequacy  of  reduction,  we  will  find  it  useful  to  refer  to  the  following 
inverse  representation  function. 

Definition  23.  ( Inverse  representation  function  i — i) 

L'J  =0 

Lu:chan,rj  =  newu:chan  dhi 
i_u:proc  P,  Tj  =  !(lPj)  |  lFj 
t_xAproc  P,  Tj  =  lPj  |  lTj 
i_xAchoice  M,Tj  =  lMj  |  i_r_i 

upar  P  Qj  =  lPj  |  uQ-s 
unew  (Au:chan.P)j  =  newti(LPj) 

Lrep  Pj  =  !(lPj) 

Lsync  Mj  =  lMj 

i_null_i  =  0 

Lalt  c  Mj  =  ucj  +  lMj 

Lsilent  Pj  =  t.(uPj) 
i_in  u  (Au:chan.  P)j  =  u(u).(lPj) 

LOUt  ud  Pj  =  u(i/).(lPj) 


B.2.4  Adequacy  of  Syntax 

Lemma  24.  ( Adequacy  of  the  Representation  of  Syntax) 

Let  T  —  ui :  chan, . . .  ,un:chan. 

a.  r  h  N  4=  act  iff  N  =  rcn  where  c  may  contain  u\...un. 

b.  T  b  N  <=  sum  iff  N  =  rMn  where  M  may  contain  u\..  .un. 

c.  T  \~  N  <=  expr  iff  N  =  rPn  where  P  may  contain  u\...un. 

d.  r_'1  is  a  compositional  bijection. 

Proof.  Standard  techniques  from  LF  representation  methodology. 
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B.2.5  Reduction  rules 

fork  :  proc  (par  PQ)-o  {proc  P®  proc  Q}. 

name  :  proc  (new  (Au.  P  u))  -o  {3u : chan,  proc  (P  u)}. 

promote  :  proc  (rep  P)  -o  {!(proc  P)}. 

choice  :  sum  — ►  type. 

suspend  :  proc  (sync  M)  -o  {choice  M}. 

exit  :  choice  null  -o  {1}. 

select  :  sum  — ►  act  — » type. 

this  :  select  (alt  C  M)  C. 

next  :  select  M  C  — ♦  select  (alt  C  M)  C. 

internal  :  choice  M  -o  select  M  (silent  P)  — >  proc  P. 
external  choice  Mi  -o  choice  M2— o 

select  Mi  (in  U  (Aw: chan.  P  w))  — »  select  M2  (out  UVQ)-» 

{proc  (par  (PV)Q)}. 

From  this  point  forward,  assume  all  CLF  terms,  computations,  judgments  and  deriva¬ 
tions  are  checked  with  respect  to  the  signature  given  above. 


B.2.6  Representation  of  Reduction 

Definition  25.  ( General  Contexts  T) 

The  following  sorts  of  context  may  arise  during  a  computation  in  CLF. 

r  |  T,u:chan  |  r,«:proc  P  |  r,xAproc  P  |  r,xAchoice  M 


Definition  26.  ( Representation  Relation  < — >) 

P  * — ►  T  if  and  only  ift-Tj  =  Q  and  Q  =  P 

Definition  27.  ( Context  Equivalence  T  =  F;) 

Let  assumptions  of  the  form  x?A  be  either  linear  or  unrestricted  assumptions. 


T,xlA,yWX  ^L,ylB,xlAX‘ 


7,  eq\  (x<f  B,y<?  A) 


r,r  =  r,u:  chan,  r'  692  (u^r’r)  r,u:chan,r  =  r,r'  eqs  (u^r’r/) 


f=T  eq4 


p  __  p//  p//  —  p/ 

r  =  r7 


Definition  28.  (Composition  of  Computations  E(E1)) 

We  define  the  composition  of  two  computations  E  and  Ef  with  type  T ,  denoted  E{Ef), 
as  the  computation  that  results  from  substituting  E '  for  the  terminal  {)  in  E. 

Definition  29.  ( Representation  of  Structural  Equivalence  =>5) 

Fi,£  ==>5  T/j  if 
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1.  E  =  {)  and  p  eTj,  or 

2.  E  =  let  {p}  =  R  in  ()  and  there  is  a  normal  derivation  of  the  following  form: 


fi  I-  let  {p}  =  R  in  £  -e  T 
r2  h  E'  -i-  T 


and  r2,  E'  =>s  P  and  R  *s  one  °f  following  atomic  forms  (where  we  let  x  range 
over  either  linear  or  unrestricted  variables): 

exitAx  forkAx  nameAx  promoted  suspendAx 

Definition  30.  ( Representation  of  the  Single-Step  Reduction  =>) 

To,  £(let  {p}  =  R  in  ()>  =»  P2  iffT0,  E  =>s  P  and 

ri  I-  let  {p}  =  R  in  ()  7  T 

r2  H  0  T 

and  r2  =  V2  and  R  is  one  of  the  following  atomic  forms  (where  we  let  x,  x\,  x2  range  over 
either  linear  or  unrestricted  variables): 

external Ax  N  internal Axi  Ax2  Ni  N2 

and  N, N\,N2  ::*=  this  |  next  N 

Definition  31.  ( Representation  of  the  Multi-Step  Reduction  =>*) 

Ti  ,E=>*  P  iff 

1.  ri ,  e  ■ — r-s  r k 

2.  E  =  E\(E2)  and  p,  p  =>  p  and  r2, E2  =>*  P 

B.2.7  Properties  of  Context  Equivalence 

The  following  simple  properties  of  contexts  and  context  equivalence  will  be  useful  in  our 
proofs  of  adequacy.  In  particular,  Lemma  35  states  that  the  same  structural,  single-step 
and  multi-step  reductions  may  occur  under  any  equivalent  context. 

Lemma  32.  ( Context  Equivalence  Is  Symmetric) 

IfT  =  P,  then  P  =  P 

Proof.  By  induction  on  the  derivation  T  =  P.  n 

Lemma  33. 

//r,u:chan,  Ph£  +  T  and  u  $  P,  then  u  E. 

Proof.  By  induction  on  the  structure  of  the  normal  proofs.  □ 
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Lemma  34.  ( Frame  Lemma,  part  1 ) 

if  r  =  r',  then  r,r"  =  P,P'. 

Proof.  By  induction  on  structure  the  derivation  T  =  P.  □ 

Lemma  35. 

a.  IfT\-  E  -rT  andT  =  T',  then  P  h  E  s-  T. 

b.  IfT,  E  =^5  T2  and  T  =  P,  then  P,  E  =>s  F 2 • 

c.  IfT,E=>  r2  and  T  =  P,  then  P,  E  =>  T2. 

d.  IfT,  E  =>*  r2  and  T  h  P,  then  T',E= =>*  T2. 

Proof. 

a.  By  induction  on  the  derivation  T  =  P. 

Case  egi :  By  exchange  property  of  framework. 

Case  eq2:  By  unrestricted  weakening  property  of  framework. 

Case  eq$:  By  Lemma  33  and  strengthening  of  unused  unrestricted  assumptions. 
Case  eq,] :  Trivial. 

Case  eqs:  :  By  induction  hypothesis. 

b, c,d.  Corollaries  of  part  (a). 

□ 


B.2.8  Reactive  Processes 

Rules  reds,  redj  and  reds  allow  reduction  to  occur  deep  within  the  structure  of  a  process. 
The  following  grammar  defines  the  places  where  reduction  may  occur.  Lemma  37  formalizes 
the  intuition  that  reduction  may  occur  in  any  of  these  places. 

Definition  36.  ( Processes  with  a  Hole  H) 

H  ::=  []  I  (H  \  P)  \  (P  |  H)  \  newu:chanif 

We  substitute  a  process  Q  for  the  hole  []  using  the  notation  H\Q] . 

Lemma  37. 

a.  L(r,P)j  =  //[lF'j]  for  sum  processes  with  a  hole  H. 

b.  If  P  =  Q,  then  H\P ]  =  H[Q\. 

c.  If  P  -*  Q,  then  H[P }  -+  H\Q\. 

d.  If  P  Q,  then  H[P ]  — *•  H\Q). 
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e.  //L(r,r')-j  =  H[ur,j]l  then  L(r,r")j  = 


Proof. 

a.  By  induction  on  the  structure  of  F. 

b.  By  induction  on  the  structure  of  H. 

c.  By  induction  on  the  structure  of  H. 

d.  By  induction  on  the  derivation  P  — >*  Q.  The  base  case  relies  on  part  (b).  The 
inductive  case  relies  on  part  ( c). 

e.  By  induction  on  the  structure  of  T. 

□ 

A  process  is  reactive  if  it  appears  in  a  position  allows  it  to  take  part  in  the  next  step  in 
a  computation.  In  other  words,  a  process  is  reactive  if  it  appears  under  “new”,  or  “!”, 
but  not  if  it  is  prefixed  by  an  input  or  output  action 

Definition  38.  ( Reactive  Processes  (1)) 

Y  ::=  []  |  (Y  \  P)  \  (P  \  Y)  |  newuY  |  \Y 

Definition  39.  ( Reactive  Processes  (2)) 

Z  ::=  H\Y\  |  Y2] 

We  use  the  notation  Y[M)  for  the  process  formed  by  filling  the  hole  in  Y  with  M.  We 
use  the  notation  Z[M\,  M2]  for  a  process  formed  by  filling  the  holes  in  Z  with  M\  and  M2 
(the  hole  Y\  is  filled  by  M\  and  the  hole  Y2  is  filled  by  M2). 

Definition  40.  (M  in  P) 

M  in  P  iff  P  =  Y\M' j  and  M'  =  M 

Definition  41.  (Mi,M2  in  P) 

Mi,  M2  in  P  iff  Mi  =  M{  and  M2  =  and 

1.  P  =  Z\M'vM'2\ 

2.  P  =  Z[M'2,  M[)  or 

3.  P  =  #[!(?]  and  M[  in  Q  and  M2  in  Q 

Definition  42.  (M  in  T) 

M  in  T  iff 

1.  T  =  (ri,u:proc  P,r2)  and  M  in  lPj 

2.  F  =  (Ti,xAproc  P,r2)  and  M  in  lPj,  or 

3.  T  =  (ri,xAchoice  M',r2)  and  M  in  lM'j 
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Definition  43.  ( Mi, M2  in  F) 

Mi,  M2  in  T  iff 

1.  r  =  (ri,w:proc  P,  r2)  and  Mi  in  lPj  and  M2  in  lPj 

r  =  (ri,xAprocP,r2)  and  Mi, M2  in  lPj 
3.  T  =  (ri,r2)  and  Ml  in  Ti  and  M2  in  r2,  or 
T  =  (ri,r2)  and  M2  in  Ti  and  M\  in  T2 
Lemma  44. 

a.  If  M  in  P  and  P  =  Q,  then  M  in  Q. 

b.  If  M\,  M2  in  P  and  P  =  Q,  then  Mi,  M2  in  Q. 

Proof.  In  both  parts,  by  induction  on  the  structure  of  the  derivation  of  P  =  Q.  □ 

Lemma  45. 

a.  If  M  in  lL,  then  M  in  T. 

b.  If  Mi,  M2  in  i_r_i,  then  Mi,  M2  in  T. 

Proof.  By  induction  on  the  structure  of  T.  D 

Lemma  46. 

a.  If  M  in  T,  then  T,  E  ==>s  P,  xAchoice  M'  and  lM'j  =  M. 

b.  If  Mi,  M2  in  T,  then  T,E  =>s  (r",xAchoice  M[,yAc hoice  M^)  and  l.M{j  =  Mi  and 
lM^j  =  M2 . 

Proof. 

a.  By  induction  on  the  nesting  depth  of  M  in  T  where  the  nesting  depth  of  an  arbitrary 
M  in  a  context  T  (depth(M\  F))  is  defined  as  follows: 

depth(M ;  Ti ,  xAchoice  M',  T2)  =  0  (if  lM' j  =  M) 

depth(M\  ri,u:proc  P.T2)  =  depth(M\  P)  +  1 
depth(M ;  Ti, xAproc  P, F2)  =  depth(M\  P)  +  1 

depth(M\  sync  M')  —  1  (if  lM'j  =  M) 

depth(M;  par  Pi  P2)  =  min (depth(M;  Pi),  depth(M\  P2))  +  1 
depth(M\  new  (u: chan P))  =  depth(M-,  P)  +  1 
depth(M\  rep  P)  =  depth(M\  P)  +  1 
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b.  By  induction  on  depth{M\\  T)  4-  depth(M2',  T). 


□ 


Lemma  47. 

//  T  b  r(ci  +  . . .  +  c„  +  0)n  <=  sum,  then  for  all  i,  1  <  i  <  n,  there  exists  N  such  that 
r  f-  N  <=  (select  r(ci  +  . . .  +  Cn  +  0)n  rCin). 

Proof.  By  induction  on  i. 

Case  i  =  1: 

r(ci  +  •  •  •  +  0,1  +  0)n  =  alt  rci'1  r(c2  +  . . .  +  Cn  +  0)n  (by  definition  of  r.'1) 

T  b  this  <!=  select  (alt  ran  r(c2  +  . . .  +  cn  +  0)"1 )  rcin  (by  type  of  this,  well-formedness 

of  r(ci  +  . . .  +  c„  +  0)*1  in  T) 

Hence  N  =  this. 

Case  i  =  fc: 

rhJV'^  select  r(c2  +  . . .  +  Cn  +  0)n  rckn  (by  induction) 

T  I-  (next  N')  <=  select  (alt  rci"1  r(c2  +  . . .  +  c„  +  0)"1)  rck~l  (by  type  of  next,  well-formedness 

of  the  sequence) 

Hence  N  —  next  N'. 

□ 

Lemma  48. 

a.  If  T\-  N  <=  (select  M  (silent  P)),  then  lMj  -►  lPj 

b.  IfT  b  Ni  <=  (select  Mj  (in  u  v.P ))  and  ifT  b  N2  <=  (select  M2  (out  u  w.Q)),  then 
i_(Mi  |  M2)j  -*  i „(P[w/v]  |  Q)- j. 

Proof. 

a.  By  induction  on  the  form  of  A’ 

lIj  =  Cl  +  .  .  .  +  Cn  +  T.lPj  +  M' 

=  T.lPj  +  Ci  +  .  .  .  +  Cn  +  M'  (by  St7'i4,  stryf) 

— ♦  lPj  (by  red\) 

Hence,  l Mj  — >  lPj. 

b.  By  induction  on  the  structure  of  the  normal  proof  N\, 

l Mu  =  ci  +  . . .  f  Cn  +  u{v).-lPj  +  M' 

=  u(v).lPj  +  ci  +  . . .  +  c„  +  M'  (by  str i4,  stn6). 

By  induction  on  the  structure  of  normal  proof  N2, 

lM2j  =  ci  +  . . .  +  dm  +  u(w).lQj  +  M" 

=  u(w).lQj  +  ci  +  . . .  +  c'm  +  M"  (by  str\4,  str^). 

By  red2,  lM\j  |  lM2j  — *  l (P[w/v)  \  Q)j 
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□ 


Lemma  49. 

a.  If  M\  =  c  +  M2,  then  M\  =  c\  +  •  •  •  +  +  0  and  c  =  c*  /or  some  i. 

b.  If  c  =  r.P,  then  c  =  r.P'  and  P  =  P'. 

c.  If  c  =  u(v).Pf  then  c  —  n(v).P'  and  P  =  P'. 

d.  If  c  =  u(v).P,  then  c  —  u(v).Pf  and  P  =  P'. 

Proof,  fa,  6,  c,  d)  by  induction  on  the  structural  equivalence  relation  in  the  premise.  □ 

Lemma  50. 

а.  //  r,  P  =>$  r  and  T\  Er  =>s  T",  then  T,  E(Er)  =>s  r". 

б.  j/r,  P  =*5  r  and  r,  P'  =>  r",  then  I\  P(P')  =»  T". 

Proof. 

a.  By  induction  on  the  structure  of  P.  Uses  Lemma  35(b)  in  the  base  case. 

b.  Corollary  of  part  (a). 

□ 


B.2.9  Adequacy  of  Reductions 

In  this  section,  we  state  and  prove  our  final  adequacy  results  for  structural  equivalence, 
single-step  and  multi-step  reductions. 

Lemma  51. 

a  If  T  ~  r,  then  lL  =  lT'j. 
b.  J/r,P  r,  then  Lrj  =  lTj. 

Proof. 

a.  By  induction  on  the  derivation  of  context  equivalence. 

Case  eq\i  Given:  T,x? A, y?B,Tf  =  T,y?B,x?A,T'  {x  ^  B,y  ^  A) 

Let  X,  Y  range  over  assumptions  of  the  following  forms: 
u :  proc  P  x Aproc  P  x Choice  M 

Let  C7,  W  range  over  assumptions  of  the  form  u:chan 
There  are  4  subcases: 
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u(r,  X ,  y,  T')j  =  i?[<5  |  R  |  iTj]  (By  definition  of  l_  j,  Lemma  37 (a)) 

=  H\R  |  <5  |  lTj]  (By  str2,  str10,  then  Lemma  37(b)) 

=  u(r,  Y,  X,  r')j  (By  definition  of  l_  j ,  Lemma  37 ( a)) 
i_(I\  U,  W,  r')j:  As  above  except  we  use  equivalence  rule  strG. 

i_(r,  U,  X,  r')-i:  As  above  except  we  use  equivalence  rule  str5. 

i_(r,  X,  U,  r/)j:  As  above  except  we  use  equivalence  rules  str$  and  str8. 

Case  eg2:  As  above  except  we  use  equivalence  rule  str4. 

Case  eqr.  As  above  except  we  use  equivalence  rules  str4  and  strg. 

Case  eq4:  TVivial. 

Case  eq8:  By  induction  and  then  rule  strg. 
b.  By  induction  on  the  structure  of  the  proofs  E  given  via  the  definition  =*s. 

□ 


Corollary  52. 

IfT,E  =>s  r7  and  P  < — ♦  r ,  then  P  *  >  F  . 

Proof.  Corollary  of  Lemma  51(b). 

Theorem  53.  ( Adequacy  1) 

a.  IfT,E  =^s  L7  and  R  < — *  F,  then  P  *  ♦  F  . 

b.  IfT,  E  =»  r'  and  P  < — ♦  T,  then  P  -*■  Q  and  Q  * — ♦  V. 

C.  If  r,  E  =>*  T'  and  P*—>T,  then  P  — ♦*  Q  and  Q  < — ♦  V. 

d.  E  is  a  normal  proof  iff  there  exists  F  and  V  such  that  F,  E  >  F  . 

Proof. 

a.  F  =  lTj  (by  definition  of  < — ♦) 
lTj  =  lPj  (by  Lemma  51(b)) 

p  < — >  Lr'j  (by  Transitivity  of  =  and  definition  of  « — >) 

b.  By  definition,  T,  jE(let  {p}  =  R  in  ())  =>  V  iff 

ri  h  let  {p}  =  R  in  ()  +  T 
F2  b  0  ^  T 

and  r2  =  T'  [6]  and  either  of  the  following  two  cases  apply 
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N  =  extemalAx  N'.  Then, 

p  * — >r 

p  —  r,  [l] 

Ti  =r",xAchoiceMi  [2] 

£2  =  r",xAprocP'  [3] 

T"  h  JV7  <=  (select  Mi  (silent  P')) 

[6] 


lMu  - 
P  = 


.(r",xAchoice  Mj). 


=  tf[uMu] 

— 

=  u(r",xAprocP')-i 

=  *_r2_> 

=  lT'j 

Hence,  P  -*  lT'j  and  by  definition  lT'j  ♦ — 
N  =  internalAxiA£2  Hi  A^.  Then, 

P  < — T 

P  + — »  Ti 

Ti  =  r",xAchoice  Mi,yAchoice  M2 
T2  =  T",xAproc  (P'[w/v)  |  Q) 
and  Tj  I-  iVi  select  M\  (u(v).P’)  [1] 

and  f[  I-  JV2  4=  select  M2  (u(w).Q)  [2] 

lMu  I  lM2J  — »  u{P'[w/v]  I  Q)j  [3] 

P  =  L(r",xAchoice  Mi,j/Achoice  M2) 

=  P[lMu  I  lMjj] 

— ♦  ff[i-(P,[ii>/t/]  I  Q)_|] 

=  L(r",xAproc  (P'[iy/v]  |  <3))j 

=  lT2J 

=  lT'j 


(by  assumption) 
(by  adequacy  la) 
(by  CLF  typing) 
(by  CLF  typing) 
[4]  (by  CLF  typing) 
(by  [4],  L.  13a) 
(by  [1,2],  def  of  < — >) 

(by  Lemma  37(a)) 

(by  [5],  Lemma  37(e) ) 

(by  Lemma  37(e)) 

(by  [3],  Lemma  51(a)) 

(by  [6],  Lemma  51(a)) 

+  r. 


(by  assumption) 

(by  Adequacy  la) 

(by  CLF  typing) 

(by  CLF  typing) 

(by  CLF  typing) 

(by  CLF  typing) 

(by  [1,2],  Lemma  48(6)) 

j  (by  definition  of  < — ») 
(by  def  of  5a) 

(by  [3],  Lemma  5c) 
(by  Lemma  37(e)) 

(by  Lemma  51  ( a)) 

(by  Lemma  51(a)) 


Hence,  P  — *  lT'j  and  lT'j  < — >  T'  by  definition. 


c.  By  induction  on  the  derivation  P,  E 


T'. 


d.  If  direction,  by  induction  on  the  derivation  T,  E 
tion  on  the  structure  of  normal  proofs. 


.  *  TV 


r'.  Only  if  direction,  by  induc- 


□ 


Theorem  54.  ( Adequacy  2) 

a.  If  P  =  Q  and  P< — ♦  T,  then  Q  < — >  T. 

b.  jf  p  , — >  r  and  P  — >  Q,  then  there  exists  E  and  V  such  that  T,E  =>  F'  and 

Q  * — +  r'. 

c.  If  P  < — >  T  and  P  — >*  Q,  then  there  exists  E  and  T'  such  that  T,  E  =»*  T'  and 
Q^V. 
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Proof. 

a.  Trivial  by  the  definition  of  F  < — *  P  and  transitivity  of  =. 

b.  By  Lemma  22,  there  exists  an  F  such  that  P  =  F  and  F  — Q'  and  Q'  =  Q.  By 
definition  of  < — *  and  transitivity  of  =,  our  obligation  reduces  to  proving: 

If  F  =  JTj  and  F  Q',  then  there  exists  E  and  T'  such  that  T,E  =>  T'  and 
Q'  =  lTj. 


Case  Is  F  =  newui  ...un\P\\. 
Q'  =  new u\...un\P\  \  ■  ■■ 
r.P  +  M  in  lFj 
r.P  +  M  in  T 
r,  JE  ri,xAchoice 
r.P  -f  M  =  lM{j 
lM{  j  =  ci  +  . . .  +  cn  +  0 


. .  |  |  r.P  +  M 

Mk  |  P 


(By  definition  of  — >“) 

(By  Lemma  44  and  F  =  lITj) 

(By  Lemma  45) 

and 

(By  Lemma  46) 

and 

and 

(By  Lemma  49  (a,b)) 

(By  Lemma  47) 


=  r.P'  and 

p  —  pf  (By  Lemma  49  (a 

f  b  Ni  <=  select  M{  r.rPn  (By  Lemma  47) 

ri,a:Achoice  M[  h 

let  (zAproc  (rPn)}  =  internalAa:iVi  in  ()  =►  Fj,  zAproc  (rPn)  (By  CLF  typing) 
Hence,  by  definition  of  =*>,  T,P(let  {zAproc  (rPn)}  =  externalA»JVi  in  ())  => 
Ti,  zAproc  (rPn). 


Q  < — ►  ri,zAproc  (rPn) 

Case  2:  P  =  new  ui . . .  un  !Pi  |  . . .  |  !Pm  I  Mi  I 
where  c\  =  u(y).P  and  C2  =  u(w).Q". 

Q'  —  new  u\ . . .  un  \P\  |  . . .  |  !Pm  |  Mi  |  . . 
ci  +  M{,  c2  +  M2  in  lT_j 
Ci  ~r  ,  c2  "I-  M2  in  r 
T,  P  =>s  Ti,  xAchoice  M",  i/Achoice  Mj 
ci  +  M{  =  j 

C2  “I-  M^  —  -l 

l  A^i  _i  =  di  4-  . . .  4-  dn  +  0 
di  =  u{v).P' 

P  =  P' 

lJV2j  =  di  +  . . .  +  dm  4-  0 
dj  =  u(v).Q"’ 

Q"  =  Q'" 

T  N\  <=  select  M"  d* 

T  I-  AT2  <=  select  M^  dj 


Mk  |  ci  +  M[  |  c2  +  M2 


Mfe  |  P(ti)  |  Q" 


(By  definition  of  — >-) 

(By  Lemma  44  and  F  =  lTj) 

(By  Lemma  45) 

and 

and 

(By  Lemma  46) 

and 

and 

(By  Lemma  49  (a,c)) 

and 

and 

(By  Lemma  49  (a,d)) 

(By  Lemma  47) 

(By  Lemma  47) 


ri,xAchoice  M",j/Achoice  M2, 

let  {zAproc  (P'(w)  |  <5'")}  =  external AxAyNiN2  in  () 

=>  Ti,  zAproc  (P'(v)  |  Q"')  (By  CLF  typing) 

Hence,  by  definition  of  =>,  r,P(let  {zAproc  (P(v)  \  Q")}  =  external^  VViJV2  in  ())  =► 
ri,zAproc  (P{v)'  |  Q"') 
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Q  < — ♦  Ti,  zAproc  (P(v)'  |  Q'"). 

By  induction  on  the  structure  of  the  derivation  P 


+*  Q  and  appeal  to  part  ( b ). 


□ 
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